Carveouts for Airlines, Nonprofits Sought in NJ Privacy Comments
Some groups seek assurances that they won’t be covered by rules implementing the New Jersey Data Privacy Act, according to comments submitted to the New Jersey attorney general’s Division of Consumer Affairs by Sept. 2. Many other business sectors urged the division to withdraw or significantly overhaul draft rules released last May (see 2509120009), according to comments obtained by Privacy Daily (part one, part two, part three).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Exempt air carriers since "the federal government exclusively governs the privacy practices of air carriers with respect to consumers,” said Airlines for America (A4A), an association representing top U.S. air carriers. The 1978 Airline Deregulation Act exclusively allows the Department of Transportation to regulate consumer privacy related to air carriers. “However, let me assure you, A4A members are committed to providing the highest quality of service, which includes protecting their customers’ privacy and data,” wrote Graham Keithley, the association’s deputy general counsel for regulatory legal affairs.
Concerned about potential compliance costs, the American Heart Association recommended exempting "nonprofits that are registered with the NJ Division of Consumer Affairs and maintain a "compliant" status, collect personal data only during legitimate activities related to the organization's tax-exempt purpose and do not sell personal data."
"The cost of compliance will certainly have an impact on our donors and future donations, posing negative downstream effects to our lifesaving mission," the association added. "We are talking about spending millions of dollars on compliance and staffing operators to gather and respond to potential requests."
The HealthCare Institute of New Jersey urged the division to align its definition of de-identified data with the Health Insurance Portability and Accountability Act and extend the law’s data-level HIPAA exemptions to data collected by medical devices or internationally. While describing itself as generally neutral about the proposal, it said "we strongly believe that these rules and the enabling statute leave out critical clarifications for the medical technology and life sciences industries that would ensure continuity of care for patients throughout New Jersey as well as the ability of these industries to continue researching and discovering new cures and treatments."
The Medical Society of NJ noted that, while "HIPAA continues to govern the handling of protected health information within the clinical setting, many of our members operate multifaceted practices, ranging in size from single-physician offices to multi-specialty groups, that collect and process consumer information outside the scope of HIPAA. For example, many members’ practice websites invite inquiries from prospective patients, some of whom will not end up receiving treatment from the practice’s physicians.” As a result, some electronically stored “consumer information will never become protected health information under HIPAA, and thus will fall within the ambit of the NJDPA and the Division’s proposed rules.”
Credit unions, especially small ones, “will need to make significant operational adjustments to ensure data minimization, purpose limitation, and robust security practices,” said the CrossState Credit Union Association. However, it said such “additional compliance burdens … may be unnecessary given the existing regulatory framework for credit unions and other businesses operating in the state.”
Meanwhile, the Professional Insurance Agents of New Jersey told the division it was glad for the NJDPA’s Gramm-Leach-Bliley Act and insurance exemptions.