New Jersey Urged to Withdraw 'California-Style' Privacy Regulations

The division had sought feedback on draft rules from May (see 2505280058). It got plenty, receiving comments from about 50 groups representing a large array of sectors, according to a 438-page omnibus (part one, part two, part three) obtained earlier this week by Privacy Daily. Many of the business groups that filed raised concerns similar to those of industry parties that released comments earlier this month (see 2509030038). Some used stronger language than others.

"The draft regulations must be rejected to facilitate compliance and address conflict with the statutory text and other privacy frameworks on which the NJDPA was modeled,” commented the New Jersey Business and Industry Association. The proposed rules inappropriately exceed the NJDPA with “California-style privacy requirements.” The group also raised constitutional and New Jersey Administrative Procedure Act concerns.

The State Privacy & Security Coalition, a national group representing the telecom, technology, automotive, health care, and payment card industries, said “several provisions in the proposed rules introduce overly prescriptive requirements, exceed statutory authority, or impose compliance obligations that may unintentionally undermine consumer experience or business innovation." Unless changes are made, “these proposed rules will not be able to be successfully implemented, and ... we would request that they not move forward."

Many industry groups urged the division to stay within the bounds of the NJDPA and avoid making requirements not found in other states' privacy laws. For example, TechNet explained that it commented at length because the proposed rules “run far afield of the underlying statute and propose novel requirements that will be unnecessarily burdensome for businesses in New Jersey and impede innovation, without corresponding consumer benefit."

Other business groups claimed the proposal wasn’t kind to small businesses. “New Jersey’s proposed rules reflect a fundamental misunderstanding of how small businesses use data and data-powered tools -- especially when working with third-party digital platforms such as Shopify, Google, and Constant Contact -- to reach customers, grow, and compete effectively and affordably,” protested the Connected Commerce Council. “While the proposed regulations exempt businesses handling fewer than 100,000 customers’ data annually, even the smallest businesses with a digital presence would still be impacted. That’s because small businesses’ larger digital partners would have to comply with the new rules -- making their data-powered tools less effective and more expensive.”

ACT | The App Association told the division not to ignore that the group's small and medium-sized developer members "may lack the resources of larger companies to manage complex compliance obligations." The Developers Alliance added that the proposed rules "demonstrate a deep failure to understand how small developers leverage data to create, launch, and grow apps, all while competing with larger companies in today’s competitive digital landscape."

One of those large companies, Google, suggested focusing “on clarifying existing obligations under the statute over introducing new, additional obligations not expressly required by the law" and on harmonizing with other national and global standards. Be flexible about compliance, "prioritizing substance over form,” added Google. “By and large, the proposed rules meet these goals," but in “a few places … the proposed rules would result in outlier requirements that are not 'necessary to effectuate the purposes' of the NJDPA ... and indeed may undermine statutory intent."

Consumer Advocates Say Law Is Weak

While industry complained about possibly large compliance burdens, consumer privacy advocates commented that the rules could be stronger. In fact, they said, it would be better for the legislature to go back and remake the NJDPA as a data-minimization law.

For instance, the NJDPA doesn't adequately protect consumer privacy, and the legislature should consider amending it "to place substantive limits on data collection and processing rather than relying on businesses to determine the appropriate purposes for processing and simply disclosing those purposes to the consumer,” said joint comments by the Electronic Privacy Information Center (EPIC), Consumer Federation of America, TechEquity and others.

“The notice-and-consent approach of the statute and proposed rules will have limited benefits for consumers, as it gives companies wide latitude with respect to the personal data they process as long as they disclose their collection and use in their privacy notices,” said the Center for Democracy & Technology. “Therefore, the Division should also encourage the state legislature to update the NJDPA to better protect consumers by requiring companies to limit their collection of personal data to only what is necessary to provide a requested product or service, not to what they have disclosed to consumers.”

The proposed rules “may cause companies to be more transparent about their practices and the measures they establish to mitigate and prevent risks,” the group added. “However, the rules provide consumers minimal recourse for the disclosed practices in which companies engage or for the safeguards they fail to establish. Companies should be responsible for being honest about how they handle people’s data, but transparency only achieves so much without strong data minimization provisions and enforcement mechanisms to prevent privacy harms from occurring in the first place."

Consumer Reports agreed that the New Jersey privacy law isn’t “as strong as it should be," since, like other state privacy laws, it relies on notice and choice and because it "simply contains too many loopholes and instances of ambiguous drafting." CR added that it plans "to advocate to New Jersey lawmakers to improve the law."

Advocates also suggested ways for the division to tighten the draft rules. For example, the EPIC group supported how the proposed regulations "clearly articulate the rules around adequate forms of consent and prohibitions on manipulative design and dark patterns,” but it said the division should "strengthen the data security responsibilities imposed on entities that collect personal information."

Also, it said the division should "clearly define the scope of the NJDPA and identify specific forms of data collection, processing, and transfer that are permitted or prohibited.”

Many Sectors Concerned

Groups representing a variety of industries detailed their complaints with the draft rules.

The Association of National Advertisers, Interactive Advertising Bureau (IAB) and multiple other ad groups argued that some proposed rules “would impose operational complexity on businesses and would also likely run counter to consumers’ expectations and choices related to personal data about them.”

Commenting separately, the IAB Tech Lab raised concerns about a proposed rule that requires controllers to notify all third-party recipients of a consumer’s personal data when the consumer opts out of its sale and directs third parties to comply with that choice. "As currently drafted, this proposed regulation would significantly impact the digital advertising industry, where a 'sale' of personal data -- as defined in the NJDPA -- encompasses [regularly occurring] personal data flows involving digital advertising selection, delivery, and reporting."

The division also received concerns from the telecom industry, including wireless industry association CTIA and cable company Altice. CTIA urged the New Jersey agency to withdraw and rework the rules, which raise “serious legal and policy concerns." Among other arguments, Altice said the definition of personal data is too broad, suggesting that "date of birth is 'personal data' because, when combined with other data -- depending on what the other data is -- it theoretically could identify a specific person."

The video game industry also hammered the proposal, with the Entertainment Software Association (ESA) urging the state to "focus on concrete, rather than speculative, consumer harm.” It also criticized several proposed requirements as being vague or creating "paperwork" or "box-ticking" exercises.

Like many of the other industry groups, the ESA suggested aligning rules more closely with the NJDPA and other states' privacy laws. For example, it said no "other state comprehensive privacy law requires such granular retention disclosures within their privacy notice requirements, recognizing that rigid, category-specific timelines are often impractical and misaligned with how businesses actually manage data."

Top consumer credit agencies also raised concerns. Experian said one "proposed requirement to provide notices to consumers 'at or before' the point of personal data collection" doesn't align with "the NJDPA and would have the unintended consequence of restraining constitutionally protected commercial speech, harming competition, constraining small businesses, and undermining services designed to protect consumers from fraud and security threats." TransUnion said the same proposed requirement doesn't "fully account for real-world data flows."

Several health, life sciences and medical industry groups weighed in as well. The International Pharmaceutical & Medical Device Privacy Consortium said its members’ chief privacy officers are “concerned that some definitions and requirements within the Proposed Rules may lead to ambiguity or unintended burdens” for their industries.