Developers Alliance Comments on Proposed New Jersey Privacy Regulations

The Developers Alliance understands the importance of keeping sensitive information secure online. However, the new rules proposed by the New Jersey Division of Consumer Affairs demonstrate a deep failure to understand how small developers leverage data to create, launch, and grow apps, all while competing with larger companies in today’s competitive digital landscape.

In particular, the Developers Alliance has deep concerns with the following:

Overly Restrictive & Broad Definitions 

Data is everything for small developers. Developers and third-party platforms like Constant Contact, Salesforce, Google Ads and Google Play, Wix, etc. collect general, non-personally identifying data to help apps better understand their customer base, make informed business decisions, and grow. 

Regarding the proposed regulations, we have several concerns about overbroad or inaccurate definitions and characterizations of normal business practices. 

First, the definition of “personal data” is very broad. The data collected by developers and third parties is non-identifiable and educates developers on the general makeup of their customer base. For example, it’s important for a vacation rental app to understand basic information about its users, like the region they live in and their general interests, so it can suggest relevant vacation homes. This type of data collection is used for most standard business practices, like sending coupons to customers to mark their birth months or advertising based on general interests like favorite sports teams. 

Simiairly, the regulations misclassify regualar data processing as a “sale.” Apps often seamlessly integrate with third-party platforms, meaning data is regularly transferred to and from developers and third parties. This process, however, could drastically change because of the proposed definition of “sale.” Most state privacy laws exclude data transfers from being considered a “sale” if the data is used to provide the user-requested service. However, the proposed regulations would remove this exception if the third party uses the data for “its own purposes.” These purposes could include services such as analytics and insights about customers, like those Google Play offers through the Developer Console. For example, if a vacation rental app user requests to receive the app’s newsletter, their data is likely transferred to an email marketing platform like Mailchimp. While the customer may have authorized the app to send them marketing emails, they have not requested that their data be used to provide the app with insights about customer opens, geographic data, etc. Under the new rule, this data transfer counts as a “sale,” triggering burdensome compliance measures and discouraging developers from using helpful third-party services. 

Lastly, the definition of “sale” favors large companies that can hire teams to keep data internal (first-party data). By keeping the data internal, they don’t have to comply with regulations relating to the “sale” of data. Most smaller developers do not have this bandwidth and, therefore, must leverage third-party partners and comply with opt-out requirements. 

Misleading Opt-outs

Opt-outs, especially universal opt-out mechanisms (UOOMs), are rarely understood by consumers and often do more harm than good. The proposed regulations include far-reaching opt-outs and data deletion signals that go beyond protecting consumer information, and will make it much harder for small developers to advertise, understand their user base, and make informed business decisions. 

These same issues occurred when Apple launched its App Tracking Transparency (ATT) opt-out feature in 2022, which requires apps to ask for user permission before tracking activity across other apps and websites. It presents users with a misleading choice: “Allow” or “Ask App Not to Track.” With little context and confusing word choice that does not clarify what the app is “tracking,” many users instinctively pick “Ask App Not to Track.” The intention of ATT is to give users more control over their data, but it actually harms small developers by limiting the amount of data available for important practices like digital advertising. Regulators in France even fined Apple $162 million over the practice, arguing that it harms small app publishers and “is neither necessary for nor proportionate with” Apple’s goal of protecting personal data.

Additionally, forcing developers to wait a full year before reaching out to users who opt out of personal data collection for targeted advertising makes it very hard to grow. In an extremely competitive digital economy, it’s vital for small developers and businesses to establish relationships with their customers. Requiring a confusing and unnecessary opt-out, and then making developers wait a year before reengaging, would crush these relationships and have catastrophic consequences for the digital ecosystem. 

Furthermore, additional aspects of the UOOM provisions raise significant concerns. The regulation is unclear about what applying a UOOM to a “network” means, stating that the signal applies to “the associated browser, network, or device(s).” Similarly, requiring controllers to offer consumers an option to extend UOOM recognition across platforms, devices, or offline based on user-provided information is overly burdensome, presents verification challenges, and can create disruptive user interfaces. We propose clarifying or striking the ambiguous scoping of UOOM recognition, the extension requirement.

We also note that the prohibition of default settings is phrased incorrectly in the draft text, which states a UOOM “must: […] 7. Not make use of a default setting that opts a consumer into the processing of personal data for purposes of targeted advertising or sale of personal data.” This language is redundant given that a UOOM is, by definition, an opt-out signal. We recommend aligning this with standard language from other states, prohibiting “default-on opt-out signals that do not reflect a clear consumer intent to opt-out.” Lastly, the regulations state the UOOM signal must be in a “format commonly used and recognized by controllers,” but do not provide for a list of AG-approved signals. An Attorney General-published list of recognized signals, similar to Colorado’s approach, would significantly reduce confusion for businesses and promote compliance, and we advocate for its addition.

Burdensome Obligations 

Most app-based businesses are extremely small — in the U.S., over 80% of apps were created by teams of 5 or fewer people — so they don’t have the necessary resources to address time-consuming, costly, and confusing compliance requirements. Creating burdensome obligations gives large companies the upper hand, while leaving smaller businesses scrambling to comply.  

Additionally, the proposed obligation to establish a detailed “Data Inventory” mandates controllers to document the types of data they possess, their storage location, and access permissions. While seemingly straightforward, the expected granularity of such an inventory would be incredibly burdensome for businesses. Therefore, we propose striking this requirement to allow companies to allocate resources more efficiently towards privacy safeguards.

Similarly, the regulation’s provisions for the automatic flow-down of both Opt-Out and Deletion requests to all third parties are highly problematic. Draft text specifies that when a consumer opts out, the controller “shall… Notify all third parties to whom the controller has sold or with whom the controller has shared the consumer’s personal data of the consumer’s choice to opt out and direct them to comply and forward the request to any other person to whom the third party has made the personal data available during that time period.” A similar mandate exists for deletion requests. We advocate striking these requirements as they are often illogical, may conflict with user intent (e.g., non-sale data transfers unrelated to targeted advertising), and create extensive record-keeping burdens, making it difficult for recipients to confirm authenticity.

To maintain a competitive innovation economy, regulators must keep small developers in mind when drafting proposals.

The Developers Alliance thanks the New Jersey Division of Consumer Affairs for the opportunity to comment on its new privacy proposals. The proposed regulations may aim to keep consumer data secure online, but ultimately, they use overly restrictive and broad definitions, create misleading opt-outs, and force burdensome requirements on small developers. We urge you to revise the proposed rules, taking small developers and the digital ecosystem into consideration. 

Sincerely, 

Jake Ward

Co-founder & chair, Developers Alliance

Related Articles

Media Contact

Our policy experts are readily available to provide insight and information regarding existing and pending policy that affects technology companies and developers. Send us an email or call. We’ll promptly get back to you.

©2025 Developers Alliance All Rights Reserved.