NJ Passes Costly Data Broker Law
New Jersey just enacted a new data broker law (AB5328), hard on the heels of Connecticut’s passage of a data broker law mirroring California’s DELETE Act last month, making New Jersey the sixth state to implement a data broker-specific law. But unlike all previously enacted data broker laws, the scope of New Jersey’s data broker law is unparalleled in breadth and registration fees. This law requires not just data brokers (which is defined similarly to other laws) to register with the state, but also first party ‘data collectors’ (entities that have a direct relationship with consumers) who ‘sell or license’ consumer data to data brokers. Moreover, the registration fees are tied to the volume of New Jersey residents’ data being processed, which is significantly higher than any other state to date.
Who Must Comply
As stated above, both data brokers and data collectors must register with New Jersey.
A ‘data broker’ is “a person or legal entity, including, but not limited to, a controller, that knowingly collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells or licenses that data to a third party. A third party shall not include a processor if licensure or disclosure of personal data to the processor is solely to process the personal data on the data broker's or data controller's behalf… Examples of a direct relationship include if the consumer is a past or present: (1) customer, client, subscriber, or user of the person or legal entity's goods or services; (2) employee, contractor, or agent of the person or legal entity; (3) investor in the person or legal entity; or (4) donor to the person or legal entity” (AB 5328 § 2(a)).
A ‘data collector’ is defined as “a business, or units of a business, separately or together, that knowingly: (1) collect the personal data of a consumer with whom the data collector has a direct relationship; and (2) sell or license such personal data to a data broker” (id.).
Neither ‘data broker’ nor ‘data collector’ include a government entity, including any federal agency or State agency, any political subdivision, or any division, board, bureau, office, commission, or other instrumentality created by a political subdivision.
But what makes this law unprecedented is that this law applies to entities that do have a direct relationship with consumers, namely data collectors. This means that entities need to be aware of whether or not the entities they sell/license personal data to are data brokers as defined under this New Jersey law.
However, this New Jersey law includes carve-outs clarifying when a business is not considered a data broker or data collector. A business does not qualify as either if its data brokering activity is incidental to any of the following business activities: (1) developing or maintaining a third-party e-commerce or application platform; (2) providing directory assistance or directory information services; (3) providing publicly available information related to an individual’s business or profession; (4) providing financial or real estate services; (5) providing alerts via alert services for health or safety purposes; or (6) providing title and settlement services.
There’s also a possible exemption for business-to-business data brokering (or first party licensing). The law’s definition of ‘consumer’ explicitly excludes individuals “acting in a commercial or employment context, but in its definition of data broker, the law provides examples of a ‘direct relationship’ which includes “if the consumer is a past or present… employee, contractor, or agent of the person or legal entity.” This requires further clarification from New Jersey regulators.
Volume-Tiered Registration Fees
The New Jersey registration fees are much higher than any other state data broker law to date and, unlike other state data broker laws, the New Jersey law takes a tiered volume-based approach. The registration fee due depends on how many New Jersey consumers’ data the data broker or data collector sells/licenses:
100,000 consumers or fewer in the State - $5,000;
> 100,000 and < 500,000 consumers in the State - $10,000;
> 500,000 and < 1,000,000 consumers in the State - $100,000;
> 1,000,000 and < 1.5 million consumers in the State - $500,000;
> 1.5 million and < 2.5 million consumers in the State - $750,000;
> 2.5 million and < 4.5 million consumers in the State - $1,000,000; and
> 4.5 million consumers in the State - $1,500,000.
It’s worth noting that the law does not state any annual registration deadline, nor does it specify the reference period for determining how many consumers’ personal data a business has sold/licensed for purposes of calculating its annual fee.
Because this approach depends on how many consumers are residents of the state of New Jersey, it is unclear how companies that do not process postal address information are expected to comply with this law. See below for more analysis of potential legal challenges based on this lack of clarity.
Other Notable Provisions
Increased Transparency. Most of the questions New Jersey requires at registration are also required by other state data broker registries, with one notable addition: a data broker must provide a list of the processors who process personal data on behalf of the data broker or data collector.
Ban on Sensitive Data Sales. This law also amends the recently enacted New Jersey Data Protection Act to prohibit the sale of sensitive data. The law previously required consent to sell sensitive data, but now there is an outright ban on any sale of sensitive data (regardless of whether the consumer provided consent). This ban is also not limited by the thresholds of applicability of the law. All entities in the state are prohibited from selling sensitive data. Breach of this prohibition is subject to $50,000 fines per record sold/licensed. As a reminder, the New Jersey Data Protection Act defines sensitive data to include: (1) racial or ethnic origin; (2) religious beliefs; (3) mental or physical health condition, treatment, or diagnosis; (4) financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; (5) sex life or sexual orientation; (6) citizenship or immigration status; (7) status as transgender or non-binary; (8) genetic data for the purpose of identifying an individual; (9) biometric data for the purpose of identifying an individual; (10) personal data collected from a known child; and (11) precise geolocation data.
Fines
In addition to the $50,000 fine for the sale of sensitive data (see above), data brokers and data collectors that fail to register with the state or fail to provide necessary information face a fine of the unpaid annual registration fee (see above) plus $2,500 per day. Unlike most data broker laws and state privacy laws in the US, this fine is not capped, meaning that the fine could amount to $912,500 per violation (not including the data broker registration fee).
Effective Date
The prohibition on the sale of sensitive data goes into effect immediately (July 2, 2026). The data broker provisions go into effect 270 days after the law is enacted on March 27, 2027. As a result, if you are currently selling or licensing sensitive data of New Jersey consumers (whether you collect it yourself or license from others), you should immediately cease all such activities.
Potential Legal Challenges
This legislation was introduced in both the New Jersey Assembly and Senate at the same time on June 28, 2026 passed immediately through committees and floor votes on June 30, 2026, and was signed by the Governor a few days later on July 2, 2026. It seems clear that there was no reasonable debate, and this was a coordinated effort to avoid industry lobbying efforts. More importantly, the law appears to be a prima facie discriminatory tax on interstate commerce, as there is no reasonable way for any business to know the residency of New Jersey consumers without some state-sponsored residency verification method. In addition, the registration fee structure does not align with a ‘legitimate local purpose’ to assist with specific New Jersey consumers' harms from data sales or licensing activities. In legal terms, this law was not ‘narrowly tailored’ and should not survive a ‘strict scrutiny’ judicial analysis of its potential violation of the interstate commerce/dormant commerce clause of the US Constitution. As a result, it is this legal team’s opinion that an industry effort should be made to challenge the legality of this law, and request an injunction before the data broker and data collector provisions go into effect.
Next Steps
The law permits the state to adopt rules and regulations, these could include adding new registration questions and more. We also expect the rules/regulations to clarify the deadline to register as a data broker and to specify the reference period for determining how many consumers’ personal data a business has sold/licensed for purposes of calculating its annual fee.