New Jersey Adopts New Data Broker Registration Regime and Sensitive Data Sale and Licensing Restrictions
Time 3 Minute Read

On June 30, 2026, New Jersey Governor Mikie Sherrill signed into law A.5328 (“the Act”), requiring data brokers and data collectors to register annually, pay a fee, make specified disclosures, and refrain from selling or licensing sensitive data.

The law took effect immediately, with the exception of provisions requiring the New Jersey Division of Consumer Affairs to establish and maintain a public registry of covered data brokers and collectors, which remain inoperative for 270 days after enactment. On July 10, the Division announced that the initial registration period for covered data brokers and data collectors will run from April 1 through June 30, 2027, and that it will provide additional guidance before that period begins.

The law creates requirements for both “data brokers” and “data collectors:”

  • A “data broker” is a person or legal entity that knowingly collects or purchases the personal data of a consumer with whom it does not have a direct relationship and sells or licenses that data to a third party.
  • A “data collector” is a business, or a unit of a business, that knowingly collects the personal data of a consumer with whom it has a direct relationship and sells or licenses that personal data to a data broker.

As a result, the law may apply not only to traditional data brokers, but also to entities that sell or license personal data obtained through a direct consumer relationship, if that data is sold to data brokers. In addition to registration and annual fee requirements, data brokers and data collectors must disclose certain information as part of the registration process and, like controllers (discussed further below), are prohibited from selling or licensing sensitive data subject to applicable statutory exemptions.

The law establishes an annual registration fee structure based on the number of New Jersey consumers whose personal data a data broker sells or licenses, or whose personal data a data collector collects and sells or licenses to a data broker. Fees start at $5,000 annually for 100,000 consumers or fewer and increase to $1.5 million annually for more than 4.5 million consumers.

The law also creates significant penalties for noncompliance. A data broker or data collector that fails to register or pay the required registration fee is liable for the unpaid registration fees for each applicable year, plus a civil penalty of $2,500 for each day of noncompliance. Failure to submit or update required registration information likewise carries a civil penalty of $2,500 per day. A data broker, controller, or data collector that unlawfully sells, offers for sale, or licenses sensitive data is liable for a civil penalty of $50,000 per record.

The law also amends New Jersey’s comprehensive privacy law to prohibit controllers from selling sensitive data. The statute defines sensitive data to include personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis, certain financial information, sex life or sexual orientation, citizenship or immigration status, transgender or nonbinary status, genetic or biometric data used to uniquely identify an individual, personal data collected from a known child, and precise geolocation data. The law does not include a consent-based exception to this prohibition, and the prohibition applies to all individuals and legal entities regardless of the number of consumers whose data the individual or entity controls or processes.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page