NJ Draft Privacy Rules Seen as Potentially Most ‘Aggressive’ in US
New Jersey’s proposed privacy rules might be the most “aggressive” in the country, particularly the potential limitations on AI-related data scraping, attorneys and a tech industry official said in interviews.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
New Jersey’s Office of Consumer Protection earlier this month delayed until Sept. 2 the deadline to submit comments on draft rules for implementing the New Jersey Data Privacy Act (NJDPA) (see 2508010007).
State privacy laws to this point have exempted publicly available data from the definition of personal data, even when the publicly available data is scraped from apps and the internet. In contrast, New Jersey has proposed treating scraped data as personal data. The draft document states: “‘Publicly available information’ shall not include the scraping of personal data or personal data obtained from data brokers that is not otherwise publicly available.”
It appears to be a “backdoor way” to regulate AI developers and deployers, said Jonathan Ende, a McDermott Will privacy attorney. “It’s a pretty significant limitation on what is publicly available.”
Not only is data scraping “normal” business practice, but “it’s necessary for the development” of large language models, said Arnold & Porter’s Jami Mills Vibbert: New Jersey would be a “total outlier.”
The Software & Information Industry Association (SIIA), in comments at the New Jersey office, recommended state regulators strike the data-scraping provision: “Information that is lawfully made available to the general public should retain its status as publicly available, consistent with First Amendment principles and the intent of privacy laws to exempt such data.”
Stakeholders will have to see what provisions are finalized, but there’s always risk of litigation when final rules go beyond statutory language, SIIA Head of Global Public Policy & Government Affairs Paul Lekas said. “There’s time to recraft a number of these provisions in an appropriate way to meet the interests in having more specificity while also staying within the terms of what the governor and legislature endorsed.” SIIA members want to avoid any litigation, he added.
Vibbert said she would be surprised if the data-scraping requirement is finalized, given the “political climate” at the federal level on AI. Regulation of AI has drawn much friction at the federal and state levels. In Colorado, Gov. Jared Polis (D) and Attorney General Phil Weiser (D) have signaled the state should take into account impacts on innovation when reconsidering the state’s comprehensive AI law (see 2508060055). Polis spoke in support of Congress’ proposed moratorium on state AI laws before the effort failed in the Senate (see 2507010071).
Vibbert said “good lobbyists” will use the innovation argument against the data-scraping provision. Most of what is proposed is within the bounds of the statute, but that provision might go “a little too far.”
Ende said several of the proposed regulations exceed the statute, including documentation requirements that are more in line with measures in Europe. New Jersey also proposed loyalty program provisions similar to the financial incentive requirements under the California Consumer Privacy Act, he said. “If it does move forward [in this form], it’s going to be a big deal, particularly because New Jersey is a big state that’s important from a business perspective for a lot of companies," he said. “It could be a game-changer.”
Vibbert said that while the data-scraping provision will draw a lot of attention, she expects New Jersey will finalize everything else: “I will be surprised if the web-scraping aspect of this goes through, and I would be surprised if anything else materially changes in these rules.”