Following our recent blog post, “Why New Jersey’s New Privacy Rules Should Worry Ecommerce Brands Nationwide,” the Ecommerce Innovation Alliance (EIA) has submitted our comprehensive comments on proposed New Jersey privacy rules to the NJ Division of Consumer Affairs. This submission, filed on August 1, 2025, reflects the collective voice and unique perspective of our diverse membership, with a particular focus on the small and mid-size businesses that drive job growth across the nation.

At the EIA, we are dedicated to fostering a predictable and fair legal environment for the ecommerce industry, advocating for common-sense policies that strengthen the ecommerce ecosystem while robustly protecting consumer privacy. We commend the New Jersey Division of Consumer Affairs’ stated intent to protect consumer privacy, which is a goal we wholeheartedly share. However, as we highlighted previously, the proposed new privacy regulations, released on June 2, 2025, appear to go “significantly beyond” the existing New Jersey Data Protection Act (NJDPA) and introduce requirements that diverge substantially from other comprehensive state privacy laws.

Our comments emphasize that these proposed rules raise significant concerns for ecommerce brands nationwide, particularly for smaller businesses operating across state lines.

Here’s a summary of the key points we raised in our formal submission:

• Unique Burdens on Smaller Ecommerce Companies Operating Nationwide:
  • Unclear Applicability: The proposed regulations fail to provide clear guidance on how a business, especially a small one, will know if it is subject to the NJDPA. The expansive and imprecise definition of “personal data” (e.g., including telephone numbers without a practical way to determine if they belong to a New Jersey resident) makes it impossible for smaller businesses to determine their compliance obligations.
  • Broad Extraterritorial Reach & Patchwork of Regulations: These rules will apply to businesses anywhere in the U.S. that interact with New Jersey consumers, regardless of physical presence. This broad applicability, coupled with compliance obligations that conflict with or expand upon existing state privacy laws, creates a complex and costly “patchwork” of regulations. For a small ecommerce company, developing and maintaining separate compliance frameworks for each state is immensely challenging and resource-intensive, diverting resources from innovation and job creation.
• Specific Onerous Compliance Requirements:
  • Expanded Data Definitions: The broadened definition of “personal data” and categorization of financial, health, and biometric data as “sensitive data” requiring heightened consent, complicates data mapping and processing across multiple states.
  • Heightened Consent and “Dark Patterns”: While we support protecting consumers from manipulative practices, the lack of specificity regarding what constitutes a “dark pattern” in the proposed rules has the potential to lead to increased “shakedown” style litigation against ecommerce companies. We recommend clarifying that only actions previously recognized by entities like the FTC or ICPEN should be actionable.
  • Data Protection Assessments (DPAs) & AI Regulations: The mandate to conduct comprehensive DPAs and assess/mitigate risks related to AI systems that process personal data requires specialized expertise and significant resources, often beyond the capacity of smaller businesses. Differing state-specific AI regulations could stifle innovation, especially for businesses relying on integrated AI platforms.
  • Operational Complexity & Increased Costs: The cumulative effect of these differing requirements — including those for data minimization, loyalty programs, children’s data protection, and data subject rights fulfillment — creates immense operational complexity and significantly increased costs. Small businesses typically lack the dedicated legal, privacy, and IT departments of larger enterprises to constantly adapt to divergent state-specific regulations.

In light of these concerns, the EIA respectfully offered the following recommendations to the New Jersey Division of Consumer Affairs:

1. Align with Existing Comprehensive State Laws: If federal legislation isn’t immediately feasible, we urged New Jersey to align its proposed rules more closely with existing comprehensive state privacy laws, such as the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA). This would significantly reduce the compliance burden for businesses already operating under similar frameworks.
2. Provide a Sufficient Implementation Period: We recommended a substantial implementation period to allow businesses, particularly smaller ones, adequate time to understand, prepare for, and implement the necessary operational and technical changes without facing immediate penalties.
3. Issue Clear Guidance and FAQs: We called for clear, practical, and well-reasoned guidance, including FAQs, specifically addressing common scenarios faced by ecommerce businesses and clarifying ambiguities to reduce uncertainty and potential for “shakedown” litigation.

The EIA is committed to helping businesses understand their obligations, mitigate legal risk, and engage with policymakers on practical, business-friendly solutions. We firmly believe that a balanced approach, prioritizing federal harmonization or, at minimum, greater alignment with existing state laws, coupled with practical implementation support, is crucial for achieving both effective consumer protection and a thriving ecommerce industry.

We will continue to closely monitor the implementation of the New Jersey Data Privacy Act and provide policy analysis and compliance insights as the law evolves.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.