New Jersey recently released draft privacy regulations, and there is a lot to unpack and process.

In this three-part series, I am breaking down the regulations  

Part 1: The New

Part 2: The Helpful

Part 3: The Surprising

For this section, I wanted to note some things that aren’t really new, but seem new. These are things we probably didn’t realize we may already need to be doing (e.g., under Colorado CPA.).

  • Sensitive information: Includes financial information (similar to California, but unlike many of the other states). It specifically includes status as transgender or non-binary.

For privacy notice format:

  • Special emphasis on dark patterns, that largely parallels the FTC workshop and the Colorado CPA with specific callouts for: disruptive screens; scrolling through text to locate opt out; bundling incompatible purposes; symmetry; affirmative acceptance.

For privacy notice content:

  • If you were only listing data processing using the CCPA categories and not adding a description of the data itself, you should start. New Jersey regs requires listing “categories,” but they are much more granular than the CCPA ones (i.e. you need to list out the type of data).
  • If you weren’t already listing specific retention of each category of data for CCPA, now may be a good time to start for New Jersey.
  • Additional, detailed disclosure for profiling (similar to Colorado CPA).
  • Need to describe the process of how to notify of amendment of the privacy notice (similar to Colorado).
  • Need to provide an explanation of how to authenticate the authorized agent and how the authorized agent can exercise the opt out.

For consumer rights methods:

  • Need an interactive form for your requests unless you don’t operate online (like CA).
  • One of the methods for requests has to be a toll-free phone number (like CA).

For consumer rights:

  • Initial response required within 10 days (like in CA).
  • Another endorsement for naming the hyperlink for the opt out “Your Privacy Choices” (like CA and CO) or “Do not sell or share my personal data” (like CA).
  • If you are not able to verify identity, you need to explain your process and why it didn’t work.
  • If a consumer submits a request to exercise more than one data right and you are able to fulfill the opt-out request in a more timely manner than other data right requests, you need to complete the opt-out request prior to any other data right request (this was suggested in a recent CA guidance).

For loyalty programs:

  • Requirement for a very detailed notice, as well as a calculation of the value of the data and the benefit reasonably related to the value of the data (latter is similar to CA).