Skip to Main Content

Keeping you informed

New Jersey's New Data Broker Law Reaches Companies Selling Their Own Customer Data

    Client Alerts
  • July 15, 2026

Many businesses that have never considered themselves data brokers may now face registration, disclosure, and fee obligations in New Jersey.

On June 30, 2026, New Jersey Governor Mikie Sherrill signed Assembly Bill 5328, creating annual obligations for data brokers and a new category of regulated business called a "data collector." The law also prohibits certain sales and licenses of sensitive personal data and authorizes penalties of up to $50,000 per record for certain violations. While much of the discussion surrounding the law has focused on registration and fees, businesses should pay particular attention to the statute's restrictions on sensitive-data sales.

While annual registration fees can reach $1.5 million, the largest of any data broker law in the country, the law’s broader significance may be its expansion beyond traditional data brokers. Most state data broker laws focus on companies that acquire information about individuals with whom they have no direct relationship and then sell or license that information to others. New Jersey’s law goes further by regulating certain businesses that collect personal data directly from their own customers and later sell or license that information to data brokers.

As a result, businesses monetizing first-party data may face obligations even if they have never viewed themselves as participating in the data broker ecosystem. Customer lists, subscriber databases, marketing leads, loyalty-program information, investor records, donor files, and similar datasets may now require closer review.

The law took effect immediately. However, 10 days after enactment, the New Jersey Division of Consumer Affairs announced that covered data brokers and data collectors will not be required to register or pay registration fees until the public registry is launched in spring 2027. The first registration period will run from April 1 through June 30, 2027, and the division has indicated that additional guidance regarding the law's requirements is forthcoming.

Organizations should nevertheless continue evaluating whether they qualify as a data broker or data collector and whether any data-sale practices may implicate the law's restrictions on sensitive data.

Expanded Regulation Beyond Traditional Data Brokers

The law regulates both data brokers and a newly created category of business called a "data collector." A data broker collects or purchases personal data about consumers with whom it has no direct relationship and sells or licenses that information to third parties. By contrast, a data collector obtains personal data directly from consumers with whom it does have a direct relationship and then sells or licenses that information to a data broker.

As a result, businesses monetizing first-party data may now fall within the law's scope even if they have never considered themselves data brokers. Because the statute defines a sale broadly to include transfers for monetary or other valuable consideration, organizations should review existing data-sharing arrangements carefully.

Unlike many obligations under the New Jersey Data Privacy Act (NJDPA), the registration requirement contains no minimum consumer-volume threshold. Instead, applicability turns on whether the organization qualifies as a data broker or data collector and sells or licenses personal data relating to New Jersey consumers.

Coverage will often depend on the recipient. A transfer does not automatically trigger the law. The recipient must qualify as a data broker, and disclosures to service providers acting solely as processors are excluded. The law also contains several exemptions, including certain activities and information regulated under HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, insurance laws, and specified human-subject research rules.

Ban on Certain Sensitive-Data Sales Is Significant

The law also amends the NJDPA to prohibit the sale of sensitive data. A separate provision prohibits data brokers and data collectors from selling or licensing sensitive data to other parties.

The prohibition appears to apply regardless of the volume of data processed and regardless of whether the business otherwise falls within the primary scope of the NJDPA. Sensitive data includes health information, financial-account information, biometric and genetic data, precise geolocation data, and citizenship or immigration status, among others.

Importantly, consumer consent does not appear to cure a prohibited sale. Businesses should distinguish between obtaining consent to process sensitive data and selling or licensing that data. The former may be permissible in certain circumstances. The latter may be prohibited outright.

The law authorizes penalties of up to $50,000 per record for certain prohibited sales or licenses of sensitive data, although it does not define the term "record." As a practical matter, many organizations may face greater near-term risk from the sensitive-data restrictions than from the registration provisions. Businesses that monetize health information, biometric data, precise geolocation information, children's data, or other categories of sensitive data should evaluate those practices now.

Compliance Risks Related to Registration Fees and Public Disclosures

Registration fees range from $5,000 to $1.5 million annually based on the number of New Jersey consumers whose personal data is sold or licensed. Consistent with the division's announcement regarding registration timing, covered entities will not be required to register or pay those fees until the registry launches in 2027.

The public registry will include basic identifying and contact information, privacy-policy information, and consumer opt-out details. Failure to register, pay required fees, or maintain current registration information may result in civil penalties of $2,500 per day, in addition to any unpaid registration fees.

What Companies Should Do Now

  • Determine whether your organization sells or licenses sensitive data concerning New Jersey residents and whether any exemption may apply.
     
  • Inventory first-party data monetization activities, including transfers involving customer, subscriber, marketing, investor, donor, and other consumer-related datasets.
     
  • Identify recipients of that data and determine whether they qualify as data brokers or instead act solely as processors or service providers.
     
  • Review contracts governing data-sharing arrangements, downstream use restrictions, and limitations on resale or licensing.
     
  • Assess whether the organization may qualify as a data broker or data collector, regardless of whether it meets the NJDPA’s traditional applicability thresholds.
     
  • Estimate potential registration-fee exposure based on the volume of New Jersey consumer data involved.
     
  • Begin gathering information that may be required for registration and public disclosure.
     
  • Monitor guidance from the Division of Consumer Affairs regarding implementation, sensitive-data restrictions, registration procedures, and other unresolved interpretive issue.

For many organizations, the most important question is no longer whether they fit the conventional definition of a data broker. Instead, businesses that monetize their own customer data should evaluate whether New Jersey’s new data collector framework brings those activities within the scope of the law.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.