Privacy

New Jersey Enacts New Data Broker Registration Requirements and Sensitive Data Restrictions

Published: Jul. 09, 2026

On June 30, 2026, New Jersey quietly enacted one of the most onerous and sweeping data broker regimes in the nation. The law, A5328 (P.L.2026, c.25), requires entities that qualify as “data brokers”—or entities that sell their own consumer information to those data brokers—to register with the state and pay hefty annual registration fees. Those fees (likely prohibitive for some companies) range from $5000 to $1,500,000, depending on how many NJ consumers’ data an entity sells. The law also amends the New Jersey Data Privacy Act (“NJDPA”) to prohibit the sale of sensitive data by virtually any entity, regardless of whether that entity is subject to the NJDPA, and regardless of consumer consent. The prohibitions on sale took effect immediately, while the data broker registration requirements are effective on March 27, 2027. 

Although the law may be challenged on constitutional grounds, organizations that collect and sell personal data (and particularly sensitive data)—including businesses that have not traditionally viewed themselves as “data brokers”—should evaluate whether the law applies to their operations.

Applicability: Data Brokers and “Data Collectors”

The law’s unique registration and fee requirements apply not only to “data brokers” but also to “data collectors.” The definition of “data broker” tracks the meaning in other states: a “person or legal entity, including, but not limited to, a controller, that knowingly collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells or licenses that data to a third party.”

But the law also introduces the novel concept of a “data collector”: a business, or units of a business, separately or together, that knowingly: (1) collect the personal data of a consumer with whom the data collector has a direct relationship; and (2) sell or license such personal data to a data broker. The “data collector” concept does not appear in the laws of any of the other four states with data broker registration laws (California, Oregon, Texas and Vermont), so a potentially vast array of retail businesses, content publishers and other businesses may soon be required to pay heavy fees if they sell the personal information of their web visitors or customers to data brokers.

Certain entities and data are exempt from the law’s registration requirements. Existing exceptions from the NJDPA are preserved, such as protected health information governed by HIPAA, nonpublic financial information regulated by the Gramm-Leach-Bliley Act, and certain information subject to the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, and the Family Educational Rights and Privacy Act. The law also carves out data sales that are incidental to several types of other processing activities, including:

  • developing or maintaining a third-party e-commerce or application platform;
  • providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
  • providing publicly available information related to an individual’s business or profession or related to providing financial or real estate services;
  • providing publicly available information via real-time or near real-time alert services for health or safety purposes; or
  • providing title and settlement services that are regulated and examined by the New Jersey Department of Banking and Insurance.

The law further exempts nonprofits established to provide enrollment data reporting services on behalf of postsecondary educational institutions.

Some of these carve-outs could give rise to a constitutional challenge to the statute. The Supreme Court has held that commercial information sharing is protected by the first amendment (see, e.g., Sorrell v. IMS Health, 564 U.S. 552 (2011), and the law arguably fails the content neutrality test applied to restrictions on protected speech. The enormity of the fines themselves raises a “tax on speech” issue (see, e.g., Minneapolis Star v. Minnesota Commissioner of Revenue, 460 U.S. 575 (1983)), with the potential that many companies may have to forego handling or sharing personal information pertinent to New Jersey (or alternatively cut jurisdictional ties to New Jersey). 

Registration and Disclosure Requirements

Under the new law, both data brokers and data collectors must register annually with the NJ Division of Consumer Affairs and provide information regarding their data processing activities, privacy disclosures, consumer rights request mechanisms, and whether the organization has experienced a data breach in the registration period. The law even imposes a unique requirement that data brokers and collectors list entities that act as their processors.

The law imposes on both brokers and collectors steep annual registration fees, which vary depending on the number of New Jersey consumers whose personal data a registrant processes:

100,000 consumers or fewer

$5,000

100,001 – 500,000 consumers

$10,000

500,001 – 1,000,000 consumers

$100,000

1,000,001 – 1.5 million consumers

$500,000

1,500,001 million – 2.5 million consumers

$750,000

2,500,001 million – 4.5 million consumers

$1,000,000

4,500,001 million consumers or more

$1,500,000

Given the amount of data in their possession, most data brokers would thus pay fees of at least $500,000, amounting to a cost-prohibitive tax to many. Registration fees are deposited into a dedicated fund to support administration and enforcement of the law.

Prohibition on the Sale of Sensitive Data

Separate from the data broker requirements, the legislation also amends the NJDPA to prohibit the sale of sensitive data for all entities – regardless of whether such entities are otherwise subject to the privacy law. Previously, the NJDPA required controllers to obtain opt-in consent before processing (including selling) sensitive data, but the new prohibition on selling this data contains no consent exception.

The definition of “sensitive data” remains unchanged, and includes racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sex life or sexual orientation, citizenship or immigration status, genetic or biometric information processed for identification purposes, precise geolocation information (i.e., information derived from technology that identifies the location of an individual within a radius of 1,750 feet), and personal information collected from known children.

Penalties

The law authorizes civil penalties for failures to comply with the registration requirements and violations of the ban on selling sensitive data.

Data brokers and data collectors that fail to register, fail to pay the required registration fee, or fail to update required information may be assessed civil penalties of $2,500 per day until compliance is achieved. Any entity that violates the prohibition on selling sensitive data can be fined $50,000 for each record sold, offered for sale, or licensed.

Next Steps

Constitutional challenges to the data broker registration requirements of the law are expected, as are additional lobbying efforts to soften the harshest aspects of the law. Nonetheless, organizations that participate in the commercial data marketplace –both traditional data brokers and entities that sell data to brokers – should begin preparing for compliance as soon as possible.

All businesses should assess their data disclosure practices to determine whether they are “data collectors”—i.e., whether they “sell” personal data to data brokers—and if so, evaluate whether to continue such practices with respect to New Jersey consumer data. Data brokers should evaluate whether to cease working with New Jersey personal data. Both types of businesses might consider whether it is more advantageous to simply cut jurisdictional ties to New Jersey rather than changing their information practices.

If these businesses decide to continue as status quo, they should begin preparing registration information now, and ensure resources are in place to pay the required fees. Additionally, organizations that sell sensitive data—including but not limited to location data vendors—should revise their processes to avoid running afoul of the new prohibitions. Businesses should also monitor any guidelines offered by the NJ Division of Consumer Affairs, which may issue additional clarifications and interpretive guidance.