The New Jersey Division of Consumer Affairs recently released a set of proposed regulations under the New Jersey Data Privacy Act. These rules mark the third robust state-level regulatory framework implementing a comprehensive consumer privacy law following California and Colorado, and they offer valuable insight into the state’s evolving compliance expectations.
New Jersey’s proposed rules borrow heavily from California and Colorado, particularly in how they define timelines and structure compliance obligations. But they also introduce new layers of specificity that could help businesses better understand their responsibilities.
These include:
1. Material Changes: Defined and Clarified
One of the most helpful aspects of the proposed rules is how they flesh out the concept of a “material change” in data use. Under most state privacy laws, using personal data in a new way—that is, one this is different from what was originally disclosed—requires at least providing notice, and often, obtaining consent.
New Jersey’s draft rules provide concrete examples of what constitutes a material change, such as:
- Changing the categories of personal information being processed
- Changing the purposes for which that information is used
While these may seem intuitive to privacy professionals, this level of clarity is a welcome development for businesses trying to operationalize compliance.
2. Record Retention for Consumer Rights
Another standout feature is the guidance on retaining records related to consumer rights requests. California, for example, requires businesses to retain deletion request records for two years—but other states have been vague on how long to keep records and what they must include.
New Jersey’s rules aim to fill that gap by specifying what records must be kept and for how long. This could serve as a useful model for businesses building or refining their data retention programs.
3. Heightened Consent for Teens
The proposed rules introduce a heightened consent standard for processing sensitive personal information of minors aged 13 to 17. Notably, consent must be refreshed every 24 months. This refresh requirement adds a new layer of compliance complexity that businesses will need to track carefully.
4. Consent for Targeted Advertising to Teens
In a move that echoes age-appropriate design codes, the rules also require consent for targeted advertising to 13–17-year-olds. Including this in general consumer privacy regulations—rather than a separate children’s privacy law—is a notable shift from what we’ve seen in other states.
These proposed rules are extensive, and businesses will need to carefully evaluate which provisions apply and how to implement them. However, they’re not final yet, and the public may provide comments until August 1st. If your business could be affected, now is the time to weigh in and help shape the final version of the rules. Once finalized, aligning your compliance program with these regulations will be essential to ensuring your data practices are both lawful and defensible.
Wondering what these rules mean for your business or need assistance preparing comments? We can help.
Watch Josh’s video on LinkedIn for more information.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.