New Jersey recently released draft privacy regulations, and there is a lot to unpack and process.
In this three-part series, I am breaking down the regulations.
Part 1: The New
Part 2: The Helpful
Purpose specification: GDPR-like clarification. You may not:
- Identify one broad purpose to justify numerous processing activities.
- Specify one broad purpose to cover potential future processing activities.
- Specify so many purposes for which personal data could potentially be processed that it becomes unclear or uninformative.
Consent: (Similar to Colorado) They specifically call out:
- When you request consent to process personal data for more than one purpose, and those purposes are not reasonably necessary to one another, the consent must be granular.
- Consent to process personal data for one purpose does not constitute valid consent to process personal data for other purposes.
- Consent to the sale of sensitive data to one specific party does not imply consent to the sale of sensitive data to another.
DPIAs:
- Definition of “essential goods and services:” Helpful for assessing whether decision made by profiling is “legal or similarly significant,” thus requiring a DPIA under the other U.S. state laws too.
- Clarifies that “heightened risk of harm” (often a “catch all” trigger for DPIAs) applies regardless of whether the risk results from the use of manual, automated or algorithmic processes.
- For the “internal operations that are reasonably aligned with the expectation of the consumer” exception, the regs specify guardrails including: data minimization, retention, and technical and organizational measures.
- For using the carve out from applicability (aka “nothing herein shall prevent controller”): the regs provide guardrails for how the carve out works. You need to:
- process only for the purpose listed.
- solely to the extent necessary reasonable and proportionate or the specific purpose listed.
- You have the burden of proof to show that the exemption applies.
Format of privacy disclosures:
- Emphasis on accessibility online and offline, with specific requirement for format that allows printing on paper.
- No need for New Jersey specific privacy notice.
Amending privacy notices:
- Explanation of what constitutes a material change in a privacy notice that may trigger the notice/consent requirement, which is required by other state laws.
- Need to update consumers every time a retention term changes or if you want to retain for longer than indicated.
Consumer rights:
- Clarification that no need to enable an authorized agent for a preference signal opt out.
- Specific requirement regarding how to obligate service providers to stop the processing on behalf of a controller once they are notified.
- Right of Access: the material produced should be without any internal codes & include explanations for ordinary people.
- Right to correct: you may enable people to do it themselves if it’s not overly burdensome.