NJ Privacy Law Draft Regs Contain 'Uncommon' Requirements, Warn Lawyers
Businesses should be aware of unusual requirements in New Jersey draft rules for implementing the state’s comprehensive privacy law, several law firms warned in blog posts this month.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The state’s Division of Consumer Affairs published draft rules for implementing the New Jersey Data Protection Act (NJDPA) on June 2, months after the New Jersey Data Protection Act (NJDPA) took effect on Jan. 15 (see 2506020034 and 2505280058). The division sought comments on the draft rules by Aug. 1; the state’s attorney general's office expects to adopt rules “sometime in 2026.” Only three states’ sweeping privacy laws required rulemakings: California, Colorado and New Jersey.
New Jersey’s “highly detailed” proposal includes “several notable distinctions from the statute itself that, if adopted, could affect business compliance strategies,” wrote Duane Pozza and three other Wiley privacy attorneys in a blog post Tuesday. Similarly, Davis Wright attorneys Alexander Sisto and Nancy Libin highlighted multiple “new or uncommon requirements” from the draft in a June 10 blog post.
“Although many of these proposed regulations generally track the existing California and Colorado privacy regulations, New Jersey has taken additional steps to clarify and outline detailed examples and processes for complying with current privacy requirements,” Kim Phan and other Troutman Pepper privacy attorneys blogged June 10. In addition, the draft “would introduce a number of significant definitions and compliance mandates not found in the NJDPA or most other states,” Janis Kestenbaum and three other Perkins Coie privacy lawyers wrote the same day.
For example, potentially affecting the law’s scope, the draft rules “would define ‘reasonably linkable,’ a key element of the threshold term ‘personal data,’ and establish new limitations on the statutory exceptions to the definition of ‘sale,’” the Wiley lawyers said. The Troutman Pepper lawyers said that the clarification that personal data includes any information that can be reasonably linkable to a person “appears to expand the definition to cover any information which, even if alone, may not be reasonably linkable to an identified person, can be reasonably linkable to an identified person if combined with other data elements.”
Such data elements that could render information reasonably linkable include: (1) full name (2) mother’s maiden name (3) phone number (4) IP address (5) birthplace (6) birthdate (7) geographical details like city, state, country or ZIP code (8) employment information (9) account information (10) mailing address and (11) race, ethnicity, sex, sexual orientation, or gender identity or expression, said the Perkins Coie lawyers: “A number of these data elements are not typically included in traditional definitions of ‘personal data’ across state privacy laws,” introducing “new ambiguity into a generally well-established consensus of what constitutes personal data across U.S. states.”
In addition, multiple law firms mentioned that the draft rules would limit an exemption for internal research so that it wouldn’t apply to training AI, unless the consumer gave opt-in consent.
“This exclusion could impact companies that use personal data to train internal AI systems for ordinary business purposes,” said the Troutman Pepper lawyers. “Without providing a definition for AI, this provision may cover a wide range of AI tools and technologies, from machine learning models to generative AI systems for which no personal data may be used for training, even if for internal research purposes.” The Davis Wright lawyers noted that the draft rules don’t “define or create any other obligations specific to artificial intelligence.”
Fresh Obligations
Companies may have to add to their privacy notices if the draft is adopted as-is, several law firms noted. For example, businesses must “describe categories and purposes of use of personal data with sufficient detail and granularity” and indicate how long the controller intends to keep personal data, the Wiley lawyers said.
The draft also includes “specific requirements when controllers process personal data for profiling for a decision that produces legal or similarly significant effects concerning the consumer,” plus “new notice and consent rules in cases of material changes to a privacy notice.”
“In addition to the typical disclosures that most state privacy laws require, privacy notices must include the purpose(s) of collecting personal data, described in a level of detail that gives consumers a meaningful understanding of how each category of personal data is used,” noted the Davis Wright lawyers.
Troutman Pepper added that “to help consumers understand a controller’s processing activities, a controller would be prohibited from specifying one broad purpose to justify numerous processing activities, from specifying one broad purpose to cover potential future processing activities, and from specifying so many purposes for which personal data could potentially be processed that the purposes become unclear or uninformative.”
Other novelties from the draft rules include “flow-down requirements for controllers to instruct processors to fulfill consumer rights requests,” and “relatively prescriptive standards” for controller obligations like purpose specification and data minimization, wrote the Wiley attorneys: Not to mention “recordkeeping requirements that are not listed in the statute.”
In addition, the Wiley lawyers flagged “highly specific guidance related to toggles, banner notices, bundling choices, links, scrolling, and processing time, among other operational issues” and “lengthy and prescriptive provisions governing consent,” such as requiring consent to be refreshed if the controller and consumer haven’t interacted for two years, and to immediately delete data once a consumer revokes consent.
Controllers would have to carefully follow the draft rules’ guidance for submitting rights requests and obtaining consent, cautioned the Davis Wright lawyers. “A method that does not comply with these principles will be considered a dark pattern, and any option chosen through the use of dark patterns will not constitute valid consumer consent even if it is a design or practice that is commonly used.”
The Davis Wright attorneys noted that, while the draft rules are detailed and technical about honoring universal opt-out preference signals, they “do not indicate whether any existing mechanisms, such as Global Privacy Control, satisfy these criteria, or whether controllers are expected to assess the mechanisms for compliance prior to recognizing their signals.”
The draft rules would require companies to give notice on or before enrollment in loyalty programs, “though such [a] requirement is not contained in the NJDPA,” added the Perkins Coie lawyers.
“Similar to California’s requirement of a “Notice of Financial Incentive,” this notice would have to include specific information about the program, such as the types of personal data collected through the loyalty program, the purposes for which the data is used, and any third parties that will receive the consumer’s personal data, including whether personal data will be provided to data brokers,” they wrote. “Additionally, the notice would have to explain the value of the consumer's data in relation to the offered benefits and provide clear information on how consumers can opt out of the program.”