Consumer Reports Submits Comments on New Jersey Privacy Rulemaking

September 2, 2025
_Comments of Consumer Reports in Response to the New Jersey Division of Consumer Affairs’ Proposed Rules Implementing the New Jersey Data Privacy Act
455.6 KB

Consumer Reports submitted comments to the New Jersey Division of Consumer Affairs (Division) in response to its request for comments on its proposed rules to implement the New Jersey Data Privacy Act (NJDPA).

Consumer Reports is supportive of a substantial portion of the Proposed Rules. For example, we appreciate that the following requirements are currently included and would urge the Division to retain them in any future version of the rules: 

  • Controllers must establish and maintain a data inventory (Section 13:45L-6.3(b)(2)) 
  • Controllers are not required to authenticate identity for opt-out requests (Section 13:45L-4.1(b))
  • Controllers must wait at least 12 months after opt-out before requesting opt-in consent (Section 13:45L-3.4(f))
  • The use of personal data for developing AI can only be achieved with consent (Section 13:45L-1.3 (d)(1)(ii))
  • Controllers must test opt-out flows for functionality (Section 13:45L-1.5(a)(5))
  • Controllers cannot bundle consent for incompatible processing purposes and cannot  force consumers to consent to the unnecessary processing of personal data as a condition of receiving the product or service  (Section 13:45L-1.5(a)(4)(ii) and Section 13:45L-7.2(a)(2)(ii)) 
  • Controllers cannot obtain consent via dark patterns (Section 13:45L-1.5(a))
  • Publicly available information does not include personal data collected via scraping or collected from data brokers (Section 13:45L-1.2)

At the same time, we recommend a number of narrow modifications on a few key points to ensure that the NJDPA’s new rights are functionally usable and effective for consumers. Specifically, we urge the Division to: 

  • Amend or provide additional clarity regarding certain key definitions, including the definition of “access request”, “data broker”, “publicly available information”, and “targeted advertising” 
  • Clarify the scope of the proposed restrictions against bundling of incompatible consent requests 
  • Issue clearer guidance on how companies may authenticate residency and legitimacy
  • Require controllers to clearly disclose that they are covered by the NJDPA and list New Jersey if they list other states where they are required to honor privacy rights 
  • Clarify the scope of the right to opt-out of profiling
  • Require companies to provide a pre-use notice before engaging in profiling
  • Clarify that consumers may opt-out of sales of personal information collected through loyalty programs without withdrawing from the program entirely
  • Clarify that opt-out requests do not always double as deletion requests
  • Clarify that entities that indirectly collect consumer data must abide by deletion requests
  • Certify GPC as a legally-binding opt-out mechanism 
  • Remove unnecessary burdens on UOOMs that will result in opt-out friction

To read the full comments, please see the attached PDF.

IssuesTech & Privacy
Experts
Matt Schwartz
Policy Analyst, Tech & Privacy
Justin Brookman
Director, Technology Policy
You Might Also Be Interested In
press release
September 5, 2025
California’s Surveillance Pricing Protection Act (AB 446) fails to advance California legislature
press release
August 29, 2025
Consumer Reports statement on California Senate Appropriations Committee holding the California Location Privacy Act
August 15, 2025
Consumer Reports Supports Massachusetts S. 2516, (the Massachusetts Data Privacy Act)
press release
August 13, 2025
More than 75,000 consumers urge FTC to crack down on AI voice cloning fraud