Overview
New Jersey’s Office of Consumer Protection has prepared proposed rules for the New Jersey Data Privacy Act (NJDPA) (Proposed Rules). While the bulk of the Proposed Rules consist of recitations of the obligations found in the NJDPA, there are several materially new requirements that may come as a surprise to companies, including new definitions and compliance obligations. These new requirements are borrowed largely from existing California and Colorado privacy regulations. The comment period for the Proposed Rules will be open through August 1, 2025. Companies wishing to comment on the Proposed Rules should reach out to their regular McDermott lawyer or the one of the authors.
For more information about the applicability of the NJDPA, see our Global Privacy & Cybersecurity Resource Center.
In Depth
New Definition of “Personal Data”
One of the cornerstones of any consumer privacy law is the definition of “personal data.” Consistent with other state laws, the NJDPA defines that term as “any information that is linked or reasonably linkable to an identified or identifiable person.” The Proposed Rules, however, go further, introducing a more expansive version of which data elements, when combined, could be “reasonably linkable” to a person or device.
Specifically, the Proposed Rules define “Personal Data” so as to include “(1) full name; (2) mother’s maiden name; (3) telephone number; (4) IP address or other unique device identifiers; (5) place of birth; (6) date of birth; (7) geographical details (for example, zip code, city, state or country); (8) employment information; (9) username, email address, or any other account holder identifying information (including, but not limited to social media accounts; (10) mailing address and (11) race, ethnicity, sex, sexual orientation, or gender identity or expression.” It is difficult to understand the breadth of this definition, which stretches far broader than any other state consumer privacy or breach law.
The Proposed Rules attempt to limit the reach of these elements by explaining that the above data elements are “reasonably linkable” only “if [they] can identify a person or a device linked to a person when aggregated with other data.” This means a date of birth alone may not be “personal data,” but some combination of the 11 items above could be “reasonably linkable.”
New Controller Obligations
The Proposed Rules include new controller obligations, including the requirements that controllers:
- Create and maintain a data inventory documenting the types of personal data that the controller possesses, where the data is stored, and who has access to the data.
- Immediately delete a Consumer’s sensitive data after the Consumer revokes consent for the Controller to process their personal data.
- Maintain records of data subject requests for 24 months.
- Add significant detail to their data privacy impact assessments, including evaluating specific types of harm and incorporating technical details about the processing activity that is the basis for the assessment.
Privacy Notice Requirements
The Proposed Rules introduce accessibility requirements to disclosures, which are common to most websites. For example, the Proposed Rules require that disclosures to consumers be accessible to consumers with disabilities and be available in languages in which the business normally interacts with its customers. A more interesting requirement is that the disclosures be easily printed.
In addition, the Proposed Rules would introduce the requirement for companies to disclose (1) more granular descriptions of the data collected; (2) the length of time each category of information will be retained; (3) a statement regarding whether the business knowingly sells or shares the personal information of minors; and (4) additional detail regarding the data subject request process used by the business. The Proposed Rules also introduce a suite of disclosures necessary for any company that profiles consumers for a decision that has a significant effect on the consumer (e.g., lending or housing).
The Proposed Rules also clarify that privacy notices do not require a separate section for New Jersey-specific disclosures.
Loyalty Program Notices
The term “loyalty” appears in the NJDPA twice, both times in acknowledgements that those programs are allowable. The Proposed Rules, however, introduce an array of requirements for loyalty programs, beginning with the development and distribution of a “Loyalty program notice,” which must include a variety of details about the program, similar to California’s financial incentive disclosure requirements.
Designated Methods for Submission of Data Subject Requests and Related Requirements
The NJDPA gives controllers the freedom to provide an email, website, or toll-free number through which data subject requests can be made. However, borrowing a page from California, the Proposed Rules would require that the controller provide two methods, one of which must be a toll-free telephone number.
Also new in the Proposed Rules is a requirement that for any data request not effectuated within 10 business days of receipt, a business must contact the data subject to “confirm receipt” of the request.
With respect to denials of consumer requests, the Proposed Rules would require the disclosure of the express reasons the request was denied, including, for example, an explanation of what information would be necessary to verify identity in the instance where lack of verification was a basis for the denial.
The Proposed Rules take yet another page from California by including requirements regarding the level/quantity of verifications that need to be performed for each type of request. For example, for a right to know, businesses must verify two pieces of information, whereas for a right to access, the business must verify three pieces of information from the requestor.
Again borrowing from California, the Proposed Rules have language regarding browser opt-out signals, which largely tracks the current California Consumer Privacy Act rules.
Introducing “Duty of Care”
Perhaps one of the more troubling aspects of the Proposed Rules is the introduction of a section related to reasonable data security that parrots language associated with fiduciary duty. The Proposed Rules refer to the NJDPA obligation to safeguard information as a “Duty of Care,” a label that is sure to draw the attention of the plaintiff’s bar and perhaps provide a method for an end-run around the prohibition on private rights of action under the NJDPA.
Consent Requirements
The Proposed Rules also borrow from existing Colorado regulations regarding the obtaining of consent when required under the NJDPA. Substantively mirroring the existing Colorado regulations, the Proposed Rules introduce several pages of requirements for obtaining valid consent, including a requirement that consent be refreshed after 24 months if there have not been any intervening interactions with the consumer.
Increased Requirements for Avoiding Dark Patterns
The NJDPA provides that consent is not effective if obtained through a so-called “dark pattern.” The Proposed Rules add substantially more detail to what constitutes a “dark pattern,” including:
- Controllers must not bundle Consumer choices in an incompatible manner, such as by requiring consumers to consent to the sale of location-based data to receive location-based services.
- Controllers cannot present Consumers with preselected or default choices.
- Controllers must not impair a consumer’s ability to make a choice, such as by requiring the consumer to click through “multiple disruptive screens” to opt out.
- Controllers must fix circular or broken links and nonfunctional email addresses that they know of or should know of.
Business Action Items
The comment period on the Proposed Rules is open until August 1, 2025. Comments can be submitted here.
For more information, or if you would like to submit comments to the Proposed Rules, please contact your regular McDermott lawyer or one of the authors.