New Jersey recently released draft privacy regulations, and there is a lot to unpack and process.

In this three-part series, I will break down the regulations  

Part 1: The New

Personal data:

  • Scraping is carved out of “publicly available data” and constitutes personal data.
  • Sale: Sharing with affiliates is not completely carved out. It doesn’t apply (i.e.. still a sale) if done to circumvent any obligations in the regs.

Scope of laws:

  • Carve out of applicability (aka “nothing herein shall prevent controller…”): You are bound by all obligations if your internal research includes sharing identified data with a third party not for one of the reasons in the carve out. You must get affirmative consent if your internal research uses the data to train AI.

Violations:

  • Under the regs, not providing a notice at or before the processing makes it a violation to collect the data (this is similar to the GDPR separate violations of Art 12-14 (need to provide notice) and the more serious Art 5 (violation of transparency).

Required (new) paperwork for showing data minimization to reflect:

  • Necessity of the data for each purpose.
  • Data inventory with type, where stored and who has access.
  • Retention.
  • Deletion and ensuring processor deletes.
  • Assess whether biometric identifiers are necessary (once a year)
  • Delete data after consent is revoked.
  • Written information security plan.

Privacy notice content:

  • Listing CCPA with description of the data itself is not enough. New Jersey regs require listing “categories,” but they are much more granular than the CCPA ones (i.e. you need to list out the type of data).
  • Listing specific retention of each category now required in New Jersey.

Loyalty programs:

  • Very detailed notice, as well as a calculation of the value of the data and the benefit reasonably related to the value of the data (latter is similar to California).

Kids:

  • Provides parameters for what constitutes reasonable efforts to ensure that a parent gives consent in connection with processing of data of children under 13 (beyond what is listed in COPPA).

Consumer requests:

  • Opt-out signal for opting out of profiling will be required once the technology exists.
  • For verification: For right to know categories:  Must match at least two data points provided by consumer. For right to know data or delete, a high degree of certainty must match at least 3 data points (California has this as optional).
  • If you can’t verify: explain this in the denial but also evaluate and document whether such a reasonable method exists at least once every 12 months.

For DPIA:

  • Requirement to review assessment re: profiling at least annually.