(202) 240-7890

Why New Jersey’s New Privacy Rules Should Worry Ecommerce Brands Nationwide

Ecommerce Innovation Alliance

July 25, 2025

Senate Bill 332, New Jersey Data Protection Act (NJDPA)

The Ecommerce Innovation Alliance (EIA) is issuing an alert about significant new privacy regulations proposed by New Jersey that could impact ecommerce businesses across the US.

Senate Bill 332, or the New Jersey Data Protection Act (NJDPA) was signed into law by Governor Murphy on January 16, 2024 and went into effect on January 15, 2025. The New Jersey Data Protection Act (NJDPA) establishes comprehensive consumer data rights and imposes new obligations on businesses that collect or process personal information, including requirements for transparency, data protection assessments, and honoring opt-out requests. It aims to give New Jersey residents greater control over their personal data while aligning the state with other modern U.S. privacy frameworks.

On June 2, 2025 the New Jersey Office of Consumer Protection released new proposed privacy and compliance regulations that go significantly beyond the existing New Jersey Data Privacy Act (NJDPA) that is already in effect. These compliance regulations, if adopted, will apply to every business that operates in OR targets New Jersey residents and processes personal data of at least 100,000 NJ residents (or 25,000 if you profit from data sales).

These proposed rules introduce major shifts that may directly impact ecommerce businesses:

  • Expanded Data Definitions: “Personal data” now broadly includes information linkable to a person or device, even if your business can’t directly identify them (e.g., unique device identifiers, social media info). “Sensitive data” uniquely includes financial details like account and credit card numbers combined with security codes, bringing heightened risk. Business owners should reassess their data inventories to capture these new categories.
  • Stricter Consent and “Dark Patterns” Prohibition: Silence or inaction cannot be considered consent. Coercive tactics and preselected options are forbidden. Opt-out mechanisms must be easily findable, and bundling incompatible data uses is banned. Brands should redesign their website’s cookie banners and user interfaces for clarity and symmetric choice presentation.
  • Heightened Data Minimization & Impact Assessments: Businesses must document the necessity of each category of personal data collected and delete data immediately when no longer needed or consent is withdrawn. Data Privacy Impact Assessments (DPIAs) are mandatory before high-risk processing, requiring regular reviews and retention.
  • New “Duty of Care” Standard: An explicit “duty of care” to protect data confidentiality, integrity, and accessibility is introduced, requiring comprehensive security practices. This could significantly increase privacy litigation risk, especially concerning website cookies and third-party trackers.
  • More Granular Privacy Policy Disclosures: Privacy notices must specifically describe each data category (e.g., “email address” not “contact information”) and disclose retention periods for each. Disclosures must be clear, in plain language, accessible, and in all languages your business uses.
  • Stricter Rules for AI and Internal Research: The internal research exemption does not apply if data is used to train AI models, unless consumers have affirmatively consented. This is a more restrictive approach than other state privacy laws. If your business uses customer data for AI model training, you will likely need explicit, affirmative consent for that specific purpose.
  • New Loyalty and Discount Program Disclosures: Businesses offering loyalty programs in exchange for data must provide a “loyalty program notice” at or before enrollment. Consumers must be able to withdraw without penalty, and benefits must be reasonably related to the value of the personal data. If a business cannot demonstrate proportionate benefits, they may not offer the program at all.

Your Voice Matters: Engage with State Regulators! 

The public has until August 1, 2025, to submit written feedback on the proposed rules during the 60-day comment window. Once the comment period closes, the New Jersey Division of Consumer Affairs will evaluate all submissions before finalizing the rules through a formal Notice of Adoption, anticipated in 2026.

EIA will prepare comments on behalf of our members, but we also urge business owners to submit comments before August 1st, to provide your unique perspective on how these changes could negatively impact your business. 

Send your comments via email to DCAProposal@dca.lps.state.nj.us. Be sure to include the following in your email: Email Subject Line: “Proposed New Rules: N.J.A.C. 13:45L”, Email Body: Type your comments to the Rule Proposal, Name, Affiliation, and Contact Information (email address and telephone number) in the email body.

The EIA is closely monitoring the implementation of the New Jersey Data Privacy Act and will continue to provide policy analysis and compliance insights as the law evolves. As a voice for the ecommerce industry, EIA is committed to helping businesses understand their obligations, mitigate legal risk, and engage with policymakers on practical, business-friendly solutions. 

Subscribe to EIA email updates to stay informed on key developments and their impact on your business.

SHARE THIS POST:
Photo of author
Ecommerce Innovation Alliance
The voice of ecommerce
EIA is a nonprofit trade association dedicated to bringing the e-commerce industry together to advocate for common sense policies that strengthen the ecommerce ecosystem while protecting consumer’s privacy.
All posts by Ecommerce Innovation Alliance
, , , , , , , , , , , , , , , , , , ,