NJ Gets Moving on Comprehensive Privacy Law Rulemaking
Long-awaited draft rules to implement New Jersey's comprehensive privacy law surfaced Wednesday. Comments are due Aug. 1, said the New Jersey Division of Consumer Affairs document, which is expected to be published in the New Jersey Register on Monday.
Sign up for a free preview to unlock the rest of this article
While the New Jersey Data Privacy Act (NJDPA) took effect months ago, on Jan. 15, stakeholders were waiting for the division to launch a rulemaking as required by the law. Privacy experts shared the draft around LinkedIn and quickly offered first impressions Wednesday, with some noting that the draft rules raise the bar.
"If finalized, these rules will likely reshape how in-scope organizations design, disclose, and operationalize consumer privacy," posted Fred Binghham, privacy counsel for film studio Skydance. "While California, Colorado, and Virginia helped pioneer U.S. privacy laws, New Jersey is now taking the lead on enforcement-ready specificity. These rules don't just say what to do -- they say how to build it."
The draft said “the proposed new rules will make it easier for consumers to exercise their data rights by specifying how controllers must respond to data right requests, from accepting and verifying the requests, to responding to and complying with the requests.”
“To facilitate controllers’ compliance with the NJDPA’s consent requirements, the proposed new rules clarify when consent is required and how controllers can lawfully solicit and refresh consumer consent.” Controllers and processors will incur compliance costs, the draft rules note. However, the division “believes that the public interest in protecting consumer personal data and facilitating the exercise of the data rights granted by the NJDPA outweighs the costs imposed.”
New Jersey’s draft rules are “not as hefty” as California Consumer Privacy Act regulations, but “meatier” than Colorado Privacy Act rules, said New Jersey-based privacy attorney Alfred Brunetti of Porzio Bromberg in a LinkedIn post. Brunetti noted that the law’s July 15 deadline for honoring universal opt-out signals remains despite the Aug. 1 deadline for comments.
Keir Lamont, Future of Privacy Forum senior director, highlighted a proposed ban of “broad disclosures intended to justify numerous processing activities or to cover potential future processing activities.” Draft rules also include “California-style factors to consider whether a new processing purpose is compatible with disclosed activities or requires new consent,” he said.
In addition, the draft proposed data-minimization rules that would require companies to make a data inventory and quickly delete sensitive data after consumers revoke consent, said Lamont. Businesses would have to refresh consent to process sensitive data after two years of not interacting with consumers. Also, the draft rules include some “prescriptive risk assessment requirements, including ‘technology to be used’ in processing and risks of ‘psychological harm’ posed to consumers,” he said.
David Saunders, a privacy attorney with McDermott Will, posted that proposed data inventories and some other requirements “go well beyond the statute.”
Bingham said the draft rules raise the bar for states on dark patterns, universal opt-out mechanisms and profiling transparency. "If adopted, these proposed rules could become the new gold standard for consumer data privacy protection -- or potentially the next template for federal reform."