Odia Kagan of Fox Rothschild writes:
New Jersey recently released draft privacy regulations, and there is a lot to unpack and process. In this three-part series, I will break down the regulations
Part 1: The New
Personal data:
- Scraping is carved out of “publicly available data” and constitutes personal data.
- Sale: Sharing with affiliates is not completely carved out. It doesn’t apply (i.e.. still a sale) if done to circumvent any obligations in the regs.
Scope of laws:
- Carve out of applicability (aka “nothing herein shall prevent controller…”): You are bound by all obligations if your internal research includes sharing identified data with a third party not for one of the reasons in the carve out. You must get affirmative consent if your internal research uses the data to train AI.
Violations:
- Under the regs, not providing a notice at or before the processing makes it a violation to collect the data (this is similar to the GDPR separate violations of Art 12-14 (need to provide notice) and the more serious Art 5 (violation of transparency).
Required (new) paperwork for showing data minimization to reflect:
- Necessity of the data for each purpose.
- Data inventory with type, where stored and who has access.
- Retention.
- Deletion and ensuring processor deletes.
- Assess whether biometric identifiers are necessary (once a year)
- Delete data after consent is revoked.
- Written information security plan
Read more of Part 1: The New at Privacy Compliance & Data Security.