New Jersey Privacy Regulations in Limbo: What the Gubernatorial Transition Means for Your Compliance Program

Executive Summary

The fate of New Jersey's proposed privacy regulations implementing the New Jersey Data Privacy Act (NJDPA) now rests with incoming Governor Mikie Sherrill's administration. With the Murphy administration failing to adopt the rules before the January 8 deadline, businesses face continued uncertainty about specific compliance requirements even as the NJDPA itself remains in full effect since January 15, 2025.

Key Takeaways:

• Proposed NJDPA implementation rules were not adopted before the gubernatorial transition on January 20, 2026
• The Division of Consumer Affairs must take action by June 2, 2026 (potentially extended to December 2, 2026)
• The core NJDPA law remains enforceable, but detailed regulatory guidance is pending
• The 30-day cure period for violations expires July 15, 2026
• Organizations should not delay compliance efforts despite regulatory uncertainty

Enhancing State Cybersecurity Measures: A Comprehensive Review of New Regulation in New Jersey and New Hampshire

As digital threats continue to escalate across the globe, protecting sensitive data has become a top priority task. Recognizing this grim reality, states across the USA are reinforcing their cybersecurity protocols to counter these threats. Among them, New Jersey and New Hampshire are setting the tides in motion, raising the

Compliance Hub WikiCompliance Hub

The Current Regulatory Landscape

NJDPA: Already in Effect

The New Jersey Data Privacy Act took effect on January 15, 2025, making New Jersey the 14th state to enact comprehensive consumer privacy legislation. The law applies to businesses that meet either threshold:

• Process personal data of 100,000+ New Jersey consumers (excluding payment transactions only)
• Process personal data of 25,000+ New Jersey consumers AND derive revenue from selling that data

Unlike most state privacy laws, the NJDPA does not exempt nonprofits, educational institutions, or small businesses that meet these thresholds. This broad applicability makes New Jersey's law one of the more expansive state privacy frameworks.

What the Proposed Rules Would Add

On June 2, 2025, the Murphy administration published proposed implementing regulations that would significantly expand compliance obligations beyond the statute itself. These proposed rules borrowed heavily from California's CPRA and Colorado's CPA regulations, introducing requirements that caught many compliance professionals by surprise:

Enhanced Data Definitions:

• Expanded definition of "reasonably linkable" personal data to include IP addresses, device identifiers, employment information, and demographic details when aggregated with other data
• Specific guidance on what constitutes "sensitive data" processing requiring opt-in consent

New Operational Requirements:

• Mandatory comprehensive data inventory documentation
• Detailed loyalty program disclosure requirements (similar to California's financial incentive notices)
• Two-method requirement for consumer rights requests, including a toll-free telephone number
• 10-business-day confirmation requirement for requests not completed immediately
• Consent refresh requirements every 24 months without intervening consumer interactions

"Duty of Care" Language:

• The proposed rules characterize data security obligations as a "duty of care," potentially creating a basis for litigation despite the NJDPA's prohibition on private rights of action
• This language has drawn significant attention from the plaintiff's bar

Expanded Dark Patterns Prohibition:

• Cannot bundle incompatible consumer choices (e.g., requiring location data sale consent to receive location-based services)
• Cannot present preselected or default choices
• Cannot require clicking through multiple disruptive screens to opt out
• Must fix known broken links and nonfunctional email addresses

The Gubernatorial Transition: What Happened

Timeline of Events

June 2, 2025: Proposed rules published with 60-day public comment period
August 1, 2025: Public comment period closes
November 4, 2025: Mikie Sherrill wins gubernatorial election
January 8, 2026: Final Murphy administration deadline to adopt rules
January 20, 2026: Governor Mikie Sherrill takes office
June 2, 2026: One-year deadline for rule adoption (can be extended to December 2, 2026)

Why the Rules Were Not Adopted

According to Troutman Pepper Locke's confirmation with the New Jersey Division of Consumer Affairs, the Murphy administration did not adopt the proposed privacy rules before the January 8 deadline—the last publication date under Murphy's governorship. The next biweekly deadline, January 23, occurs after the transition, placing decision authority squarely with the Sherrill administration.

The reasons for non-adoption remain unclear, but several factors may have contributed:

• Complex stakeholder feedback: The 60-day comment period likely generated significant industry pushback on the more stringent requirements
• Lame duck limitations: Major regulatory initiatives are often deferred during gubernatorial transitions
• Policy reassessment: The incoming administration may have requested time to review the rules

Governor-Elect Sherrill's Potential Approach

Background and Priorities

Governor-elect Mikie Sherrill brings a unique background to privacy regulation considerations:

• Former U.S. Navy helicopter pilot and federal prosecutor
• Represented NJ's 11th Congressional District (2019-2025)
• Campaign focused on transparency, accountability, and online safety for children
• Explicitly committed to "taking on online safety for our kids" during campaign

Relevant Policy Positions

While Sherrill has not made specific statements about the NJDPA regulations, her campaign priorities suggest potential directions:

Online Safety Focus: Sherrill explicitly campaigned on protecting children from social media harms, stating she would "take on online safety for our kids" as governor. This suggests potential support for strong privacy protections, particularly around children's data.

Government Efficiency: Sherrill emphasized reducing red tape and improving government accountability. This could translate to:

• Streamlining compliance requirements to avoid unnecessary business burdens
• Ensuring regulations are clear, enforceable, and practical
• Balancing consumer protection with economic competitiveness

Transparency and Accountability: Her commitment to "accountability and transparency" in government operations may influence how privacy regulations are structured and enforced.

Four Possible Outcomes

The Sherrill administration faces four realistic paths forward:

Option 1: Adopt as Proposed

Likelihood: Low to Moderate

The new administration could adopt the proposed rules with minimal or no changes, maintaining continuity with the Murphy administration's approach.

Implications:

• Organizations would face the full scope of California-style requirements
• Immediate clarity for compliance teams
• Potential business community resistance

Option 2: Adopt with Modifications

Likelihood: High

The administration could adopt the core framework while modifying specific provisions based on public comment feedback.

Likely modifications:

• Scaling back the "duty of care" language to avoid unintended litigation exposure
• Adjusting consent refresh timelines
• Clarifying loyalty program requirements
• Streamlining consumer request procedures

Implications:

• Additional informal comment period likely
• Adoption timeline extends toward mid-2026
• More balanced business-consumer approach

Option 3: Substantial Changes Requiring New Comment Period

Likelihood: Moderate

If the administration determines substantial changes are needed, they could reopen the comment period, extending the deadline to December 2, 2026.

Implications:

• Extended uncertainty for compliance programs
• Opportunity for stakeholder engagement with new administration
• Potential for significantly different regulatory approach
• Delayed final guidance until late 2026

Option 4: Start Over

Likelihood: Low

The administration could withdraw the current proposal and begin a new rulemaking process, though this seems unlikely given the investment already made.

Implications:

• Maximum uncertainty and delay
• New proposal cycle extending into 2027
• Risk of enforcement actions without clear regulatory guidance

Critical Compliance Deadlines

Despite regulatory uncertainty, several hard deadlines remain in effect:

July 15, 2026: Cure Period Expires

The NJDPA provides a 30-day cure period for violations during the first 18 months after the law's effective date. After July 15, 2026, the New Jersey Attorney General has full discretion over enforcement, and the cure period is no longer guaranteed.

Action Required: Organizations must have functional compliance programs in place before this date, regardless of final regulations.

June 2, 2026: Initial Rule Adoption Deadline

The Division of Consumer Affairs must adopt rules within one year of the proposal publication date. This can be extended to 18 months (December 2, 2026) if substantial changes require additional public comment.

Strategic Implication: Companies should plan for regulatory clarity by Q2 2026 at earliest, Q4 2026 at latest.

Universal Opt-Out Mechanism: Already Required

The NJDPA requires businesses to recognize universal opt-out signals. This requirement took effect July 15, 2025 (six months after the law's effective date).

Compliance Status: This is non-negotiable and must be implemented now, regardless of proposed rule status.

What Organizations Must Do Now

1. Do Not Wait for Final Rules

The most critical compliance mistake organizations can make is delaying implementation while waiting for regulatory clarity. The core NJDPA obligations are already law and enforceable:

Consumer Rights Implementation:

• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt out of sales, targeted advertising, and profiling

Sensitive Data Protections:

• Opt-in consent before processing sensitive data
• Data protection assessments for sensitive data processing
• Enhanced protections for known children (ages 13-16)

Operational Requirements:

• Privacy notice publication
• Data minimization and purpose limitation
• Reasonable security measures
• Contract requirements with processors

2. Prepare for California-Style Requirements

Given that the proposed rules heavily borrow from California and Colorado regulations, organizations should prepare for similar requirements even if the final rules differ:

Data Inventory:

• Document all personal data processing activities
• Map data flows and retention periods
• Identify third-party data sharing arrangements
• Categorize data by sensitivity level

Consumer Request Infrastructure:

• Implement multiple request methods (including toll-free number)
• Create workflows for 10-day confirmation requirements
• Establish processes for 45-day response timeline (with 45-day extension option)
• Test request verification procedures

Consent Management:

• Review all consent mechanisms for dark pattern compliance
• Implement granular consent options
• Prepare for potential 24-month refresh requirements
• Document consent records

Loyalty Program Disclosures:

• Audit existing loyalty programs
• Prepare detailed disclosure notices
• Calculate and document differential value of programs
• Implement opt-in/opt-out mechanisms

3. Monitor the New Administration's Signals

Organizations should actively monitor for early indicators of the Sherrill administration's approach:

Key Sources:

• New Jersey Division of Consumer Affairs announcements
• Attorney General policy statements
• Legislative hearing testimony
• Stakeholder meeting invitations
• Industry association communications

Engagement Opportunities:

• Submit comments if new comment period opens
• Participate in industry coalition responses
• Attend public hearings and workshops
• Engage directly with Division of Consumer Affairs

4. Conduct Data Protection Assessments

The NJDPA requires data protection assessments (DPAs) for high-risk processing activities, regardless of final rule status:

When DPAs Are Required:

• Processing sensitive data
• Targeted advertising
• Sale of personal data
• Profiling with legal or similarly significant effects

DPA Components:

• Benefits and risks of processing activity
• Reasonable consumer expectations
• Relationship and context of processing
• Safeguards and mitigation measures
• Potential for de-identification

5. Address the "Duty of Care" Issue

Even if the "duty of care" language is modified or removed, organizations should strengthen data security practices:

Recommended Actions:

• Conduct comprehensive security assessments
• Document security program maturity
• Implement encryption for sensitive data
• Establish incident response procedures
• Create breach notification protocols
• Maintain vendor security assessments

Risk Mitigation: Strong security practices defend against both regulatory enforcement and potential future litigation, regardless of how the "duty of care" language is finalized.

Enforcement Landscape

New Jersey Attorney General Authority

The NJDPA grants enforcement authority exclusively to the New Jersey Attorney General through the Division of Consumer Affairs. Key enforcement provisions:

Penalties:

• Up to $10,000 per initial violation
• Up to $20,000 per subsequent violation
• Violations treated as violations of the New Jersey Consumer Fraud Act

No Private Right of Action:

• Consumers cannot file individual lawsuits
• All enforcement is government-initiated
• AG has discretion over enforcement priorities

Current Enforcement Posture

As of January 2026, the New Jersey Attorney General's office has not publicly announced any NJDPA enforcement actions. However, several factors suggest enforcement activity may increase: