New Jersey recently released draft privacy regulations, and there is a lot to unpack and process.

In this three-part series, I am breaking down the regulations. 

Part 1: The New

Part 2: The Helpful

Purpose specification: GDPR-like clarification. You may not:

  • Identify one broad purpose to justify numerous processing activities.
  • Specify one broad purpose to cover potential future processing activities.
  • Specify so many purposes for which personal data could potentially be processed that it becomes unclear or uninformative.

Consent: (Similar to Colorado) They specifically call out:

  • When you request consent to process personal data for more than one purpose, and those purposes are not reasonably necessary to one another, the consent must be granular.
  • Consent to process personal data for one purpose does not constitute valid consent to process personal data for other purposes.
  • Consent to the sale of sensitive data to one specific party does not imply consent to the sale of sensitive data to another.

DPIAs:

  • Definition of “essential goods and services:” Helpful for assessing whether decision made by profiling is “legal or similarly significant,” thus requiring a DPIA under the other U.S. state laws too.
  • Clarifies that “heightened risk of harm” (often a “catch all” trigger for DPIAs) applies regardless of whether the risk results from the use of manual, automated or algorithmic processes.
  • For the “internal operations that are reasonably aligned with the expectation of the consumer” exception, the regs specify guardrails including: data minimization, retention, and technical and organizational measures.
  • For using the carve out from applicability (aka “nothing herein shall prevent controller”): the regs provide guardrails for how the carve out works. You need to:
    • process only for the purpose listed.
    • solely to the extent necessary reasonable and proportionate or the specific purpose listed.
    • You have the burden of proof to show that the exemption applies.

Format of privacy disclosures:

  • Emphasis on accessibility online and offline, with specific requirement for format that allows printing on paper.
  • No need for New Jersey specific privacy notice.

Amending privacy notices:

  • Explanation of what constitutes a material change in a privacy notice that may trigger the notice/consent requirement, which is required by other state laws.
  • Need to update consumers every time a retention term changes or if you want to retain for longer than indicated.

Consumer rights:

  • Clarification that no need to enable an authorized agent for a preference signal opt out.
  • Specific requirement regarding how to obligate service providers to stop the processing on behalf of a controller once they are notified.
  • Right of Access: the material produced should be without any internal codes & include explanations for ordinary people.
  • Right to correct: you may enable people to do it themselves if it’s not overly burdensome.