Industry Groups Slam Draft NJ Privacy Rules as Excessive
Draft regulations to implement the New Jersey Data Protection Act (NJDPA) may exceed the statute, said advertising, tech industry and news media groups in comments to the New Jersey attorney general’s office’s Division of Consumer Affairs. They suggested that New Jersey try to align more closely with other states that have comprehensive privacy laws.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The division released draft rules in May (see 2505280058). After a delay, comments were due Tuesday this week (see 2508010007). Since the draft was issued, privacy attorneys have remarked on the unusual nature of some of the proposed requirements (see 2506170037 and 2507180020), with some describing the package as potentially the most aggressive in the country (see 2508110047). The attorney general’s office has said it expects to adopt final rules in 2026.
The Consumer Affairs Division didn’t immediately make all comments it received public. However, Privacy Daily reviewed a handful of filings posted online by the parties themselves.
In one set of comments, the Network Advertising Initiative prodded the New Jersey division to stay in its lane. "The purpose of regulations is to implement, not alter statutory requirements,” said NAI. “Where proposed rules exceed or diverge from statutory language, the intended goals and balance achieved by lawmakers will be frustrated." Also, wherever possible, the division "should seek harmony with requirements in other states,” said NAI, noting that rules should be "technologically achievable" for data controllers.
The Software & Information Industry Association (SIIA) commented that some parts of the proposed rules "are likely to have unintended consequences, including undermining protections for consumers and burdening companies attempting to operate in good faith without, on balance, providing meaningfully stronger guardrails around consumer data."
Meanwhile, a press association urged the division "to take a more moderate approach" in proposed privacy rules "to avoid constraining New Jersey citizens’ access to high-quality journalism." In joint comments, the New Jersey Press Association (NJPA) and News/Media Alliance urged the state not to burden publishers "with compliance obligations that offer little appreciable consumer benefit.”
One way the draft rules go beyond the statute, said NAI, has to do with a proposed requirement that controllers disclose the names of any third parties to which they sell sensitive information. NAI said the statutory text of the NJDPA only requires disclosure of the categories of third parties.
“Departing from the NJDPA in this way is problematic" because it "would be unlikely to aid in consumer comprehension or promote informed decision-making" and challenging for businesses to implement,” said the ads group: Also, it would "take New Jersey out of alignment with other authorities that have addressed the issue of third-party transparency" and "create tension with other requirements in the NJDPA that protect trade secrets.”
Industry Sees 'Overbroad' Terms
NAI, SIIA and the Computer & Communications Industry Association (CCIA) each protested the scope of several terms in the proposed rules.
For example, CCIA commented that the proposed definition for data broker “would sweep in a large share of businesses that rely on third-party data for marketing and product development.” The tech industry group said a company could possibly “become classified as a 'data broker' merely by commissioning a survey of who has purchased products or services like theirs in a given area."
To alleviate such concerns, NAI suggested removing the term “data broker” from the rules. Or at least align the definition with other states, said the ads industry group. “As it stands, the proposed definition of ‘data broker’ is expansive and captures entities that merely collect personal data outside of a direct relationship with a consumer, without requiring that the entity sell or otherwise monetize that data. This broad definition would sweep in many businesses that an average consumer would not consider to be a data broker."
Meanwhile, the draft definition of sale is so broad that it “could qualify data transfers between controllers and processors as sales,” said CCIA. “Basic use of smart devices (such as a TV linking to a user’s streaming services) could also qualify as sales under this definition.”
SIIA added that the proposed definition of biometric data “would inadvertently bring a vast array of personal data, which is not truly biometric based on any common understanding of the term, within the scope of ‘sensitive data.’”
Not only that, but the proposed definition of “essential good and services” is loose enough to potentially "cover nearly any product or service,” including “profiling activities that pose minimal risk to consumers,” SIIA said. “Narrowing this definition to truly essential services would align it with the intent of privacy protections to focus on high-risk scenarios and prevent unintended overreach.”
CCIA and SIIA additionally objected to excluding scraped data from the proposed definition of publicly available information. “Since indexing publicly available data does not undermine privacy rights and can greatly improve convenience for consumers, this provision should be removed,” said CCIA.
A draft rule regarding universal opt-out mechanisms is also "overbroad” as it “forces users to opt out of data collection practices merely because they share a browser with another user who has sent an opt-out preference signal,” said CCIA.
NAI raised a similar concern, saying that the proposed language "suggests that an opt-out preference signal transmitted from a single browser may require the controller to apply the opt-out across an entire network, to all devices using that network, and to any consumer profiles linked to that browser or network -- including pseudonymous profiles.”
‘Burdensome and Unnecessary’
A proposed requirement to conduct data inventories also received consternation from the two tech associations. It is “burdensome and unnecessary,” said SIIA. “Although data mapping is a valuable practice, mandating a highly detailed data inventory with specificity imposes a significant compliance cost that is again quite attenuated from the privacy concerns of consumers themselves,” said SIIA.
A data inventory “requirement provides little benefit to consumers ... and the detail required to document and continuously update such complex information flows is extremely onerous for controllers,” agreed CCIA. “Moreover, forcing controllers to store the access permissions and storage locations of consumer data increases the odds that malicious actors will obtain this sensitive information.”
Industry groups balked at several other proposed obligations, as well.
For instance, NAI objected to a heightened opt-in standard proposed for personal data processing for AI training. Instead, the New Jersey rules should "treat AI training like any other non-exempt processing activity -- fully subject to the NJDPA’s general requirements -- without layering on a special opt-in standard not found elsewhere in the statute."
SIIA disagreed with proposed consent obligations like having a 12-month waiting period after a consumer opts out before asking for consent again. “While preventing aggressive re-solicitation is important, a complete prohibition on reasonable, non-repetitive requests for consent after a period can hinder legitimate business practices and consumer choice.” SIIA added that it would hurt small and medium-sized businesses the most.
In addition, the software association suggested removing a proposed requirement to delete user data in response to opt-out requests. "An opt-out signifies a preference to cease certain processing activities, not necessarily a desire for data erasure."
Meanwhile, the NJPA and News/Media Alliance opposed a proposed "duty of care" related to data security practices, "which would impose a liability standard that is not included in the Act and therefore beyond the scope of the Division’s authority." The proposed standard “is too onerous and subjective, and could expose already vulnerable publishers to additional (and unnecessary) legal liability,” it said.
The press groups also disagreed with a proposal that they said would ban "publishers from using outputs (either data or resulting research) from internal research to develop, improve, or repair products, services, or technology to train [AI], unless the consumer has affirmatively consented to such use." That would effectively create "a new 'opt-in' consent requirement for using lawfully-collected personal data," which exceeds the privacy law in New Jersey as well as similar laws in other states, they said.
New Jersey’s rules shouldn’t “restrict publishers from responsibly leveraging data using [AI] to make their personalized, edited content more readily available to readers at a reasonable cost … particularly in an environment otherwise rife with disinformation,” added the news groups. Likewise, the associations argued against proposed limits on targeted advertising for their members because they said it “generates revenue necessary for publishers to continue to create fact-checked content available to New Jersey residents at low cost or sometimes no cost."