New Jersey’s New Data Broker Law is Expensive, Expansive, and Effective Immediately 

July 15, 2026

The Garden State has made life more complicated and more expensive for the data broker industry. On June 30, 2026, New Jersey Governor Mikie Sherrill signed A.5328, making New Jersey the seventh state to enact a data broker law. New Jersey’s new data broker law is arguably the most aggressive, and certainly the most expensive, in the country. The majority of the new law took effect immediately, imposing registration fees of up to $1.5 million annually, and introducing a category of “data collectors” that no other state data broker law covers. Businesses that sell personal data, including those with direct relationships with their customers, should assess their exposure now.

Who Is Covered

A.5328 creates obligations for two categories of entities. “Data brokers” are defined consistently with other state laws: entities that knowingly collect or purchase personal data of consumers with whom they have no direct relationship and sell or license that data to third parties. “Data collectors” are new to New Jersey law and have no analog in any other state’s data broker statute. These are defined as entities that have a direct relationship with consumers but sell or license their personal data to a data broker. This means that a first-party data holder (e.g., a retailer, publisher, or app operator that sells its own customer data downstream) is now a regulated entity in New Jersey, subject to the same registration, fee, and sensitive data obligations as a traditional data broker.

Registration Fees

Both data brokers and data collectors must register annually with the New Jersey Division of Consumer Affairs and pay a tiered annual fee based on the volume of personal data involved, as follows:

  • $5,000 for data on 100,000 or fewer NJ consumers;
  • $50,000 for 100,001–500,000 NJ consumers;
  • $200,000 for 500,001–1 million NJ consumers;
  • $500,000 for 1–2 million NJ consumers;
  • $1 million for 2–4.5 million NJ consumers; and
  • $1.5 million for more than 4.5 million NJ consumers.

These are the highest data broker registration fees enacted by any state. The Division must establish a public registry by March 27, 2027, but registration obligations and fees are effective now.

Sensitive Data Ban

A.5328 also amends New Jersey’s existing comprehensive privacy law to prohibit controllers, data brokers, and data collectors from selling sensitive personal data (with “sale” defined as an exchange of data for money or other valuable consideration). Sensitive data is defined broadly by the state’s privacy law to include data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, financial account credentials, sex life or sexual orientation, citizenship or immigration status, transgender or non-binary status, genetic or biometric data, children’s data, and precise geolocation data. Two features make this prohibition more expansive than it appears. First, similar to the strong prohibition in Maryland’s state privacy law, there is no consent exception, meaning a consumer cannot authorize the sale of their sensitive data under this law even if they wish to do so. Second, the prohibition applies regardless of whether the entity otherwise meets the thresholds for coverage under New Jersey’s comprehensive privacy law, meaning a company that touches even one New Jersey resident’s sensitive data faces exposure if it sells that data.

Penalties

Failure to register or timely update registration information carries a civil penalty of up to $2,500 per day. The penalty for selling, offering for sale, or licensing sensitive data is $50,000 per record — a figure that can compound rapidly given the volume at which personal data typically moves. Enforcement authority rests exclusively with the New Jersey Attorney General.

What Companies Should Do Now

Because the law took effect June 30, 2026, there is no grace period for most obligations. Businesses that sell personal data touching New Jersey residents should:

  • determine whether they qualify as a data broker or, critically, as a data collector under the new direct-relationship definition;
  • audit data flows for sensitive data categories covered by the prohibition, and halt any sales that cannot be restructured to avoid triggering it;
  • calculate their applicable registration fee tier; and
  • register with the Division of Consumer Affairs without delay.

The Division’s registry will not be operational until March 27, 2027, but the registration obligation itself is active now — companies should document their compliance position in the interim.

For assistance evaluating your exposure under NJ A.5328, please contact Benjamin Mishkin in Cozen O’Connor’s Technology, Privacy & Data Security practice.

Share on LinkedIn

Authors

Benjamin Mishkin

Member

bmishkin@cozen.com

(215) 665-2171

Related Practices