CLIENT ALERT
July 8, 2026
Read time: 7 min
On June 30, 2026, New Jersey enacted A5328, prohibiting the sale of sensitive data and establishing a public registry for data brokers and data collectors.
The law amends the New Jersey Data Privacy Act to ban the sale of sensitive data by all individuals and legal entities, regardless of whether they are otherwise subject to the New Jersey Data Privacy Act. The law has strict civil penalties associated with violations of this ban: $50,000 for each record sold, offered for sale, or licensed. Further, the law creates a new registration regime for data brokers and data collectors, including tiered annual registration fees that can reach $1.5 million and civil penalties for noncompliance.
Notably, the New Jersey law creates a new statutory category for companies that may have not been previously governed by data broker legislation – the data collector category – which applies to entities with a direct relationship to a consumer whose personal data they sell or license. This new category of covered entities will pull in a host of entities that have not, yet, been governed by other relatively similar state laws and who do not, rightly, consider themselves data brokers.
The New Jersey law takes effect immediately, except for the registry provisions, which kick in on March 27, 2027. The New Jersey Division of Consumer Affairs in the Department of Law and Public Safety (the “Division) is authorized to adopt rules and regulations as necessary to implement and provide clarity to the law.
Ban on sensitive data sales
A5328 amends the New Jersey Data Privacy Act to add a broad prohibition on selling sensitive data. The prohibition applies to all individuals and legal entities selling, offering to sell, or licensing sensitive data to other individuals or entities regardless of the law’s ordinary applicability thresholds under the Data Privacy Act. This ban, which applies regardless of the number of consumer data records at issue, makes the law broader than many state privacy-law restrictions that apply only to covered controllers meeting certain revenue or data-volume thresholds.
“Sensitive data” includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, financial account access information, sex life or sexual orientation, citizenship or immigration status, transgender or non-binary status, genetic or biometric data used to uniquely identify an individual, data collected from a known child, and precise geolocation data.
A5328 includes several exemptions from its various obligations. Those exemptions apply to the following:
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Data held by financial entities subject to the Gramm-Leach-Bliley Act (GLBA)
- Specific research activities subject to human subject research laws
- Certain consumer reporting activities governed by the Fair Credit Reporting Act
- Personal information held by certain national securities associations governed by the Securities Exchange Act of 1934
- Personal information held by insurance institutions and government entities
The law also excludes activities that are incidental to specified services, such as maintaining a third-party e-commerce or application platform or providing certain directory assistance or directory information services.
Data broker and data collector registry
The law directs the Division to establish and maintain a public registry of data brokers and data collectors engaged in processing personal data of New Jersey consumers. A “data broker” is generally an entity that knowingly collects or purchases personal data of consumers with whom it lacks a direct relationship and sells or licenses that data to a third party. A “data collector” is generally a business that has a direct relationship with consumers and sells or licenses their personal data to a data broker.
This data collector category is novel amongst US consumer privacy and data broker legislation, and this scope is notable because it allows the New Jersey law to reach companies that have direct relationships with consumers if they sell or license consumer personal data to data brokers. As a result, companies that do not view themselves as data brokers, and are not data brokers under any other law, may still need to evaluate whether their downstream data-sharing arrangements bring them within the statute’s obligations and penalty structure.
Registration fees and required disclosures
Covered data brokers and data collectors must register annually with the Division and pay a registration fee based on the volume of New Jersey consumer personal data they possess, collect, sell, or license. The fee schedule ranges from $5,000 for entities handling personal data of 100,000 or fewer New Jersey consumers to $1.5 million for entities handling personal data of more than 4.5 million New Jersey consumers.
Registrants must provide detailed information, including the following:
- The registrant’s name and primary physical, email, and Internet website addresses
- Whether individuals may opt out of collection practices and the method for requesting an opt-out, the type of opt-out, whether the opt-out is limited to certain activities or sales, and whether the data broker or data collector permits individuals to authorize a third party to opt out on the individual’s behalf
- Whether the registrant permits individuals to direct it to delete any personal data in its possession
- Any data collection, databases, or sales activities from which individuals may not opt out
- Whether the registrant uses a credentialing process for data purchasers and a general explanation of that process
- A history of data breaches and other cybersecurity events affecting the registrant and personal identifying information in its possession
- A statement detailing the data collection practices, databases, sales activities, and opt-out methods applicable to personal identifying information of persons under 18
- The processors that process personal data on the registrant’s behalf
Registrants must review and update their registrations at least annually, and certain cybersecurity-event information will not to be published.
Fines and enforcement
The law imposes substantial civil penalties. A data broker or data collector that fails to register or pay the required annual fee may be liable for the unpaid registration fees plus a civil penalty of $2,500 per day. The same daily penalty applies to failures to submit or update required registration information. Separately, a data broker, data collector, or controller that sells, offers for sale, or licenses sensitive data in violation of the law may face a civil penalty of $50,000 for each record sold, offered for sale, or licensed.
Key takeaways
New Jersey’s new law adds another layer to the rapidly developing state data broker landscape. Companies should assess whether they sell and/or license New Jersey consumer personal data to data brokers, whether any transfers involve sensitive data, whether they honor existing legal requirements regarding obeying deletion and opt-out rights, and whether existing vendor diligence and data inventory processes are sufficient to support the new registration and disclosure obligations.
Unlike other state data broker laws such as California’s Delete Act, Texas’s Data Broker Act, recent amendments to the Connecticut Data Privacy Act, and recent amendments to Vermont’s data broker regulation, New Jersey’s A5328 does not create a new means for consumers to opt-out of inclusion in, or delete their data from, all data broker repositories, nor does it require data brokers issue a disclaimer on their platforms or maintain a bond with the state in order to pay penalties.
If you have questions about New Jersey’s A5328 or other state data broker requirements, please contact any of the authors or your regular McDermott Will & Schulte lawyer.
Ciarra Lee, a summer associate in the Washington, DC office, contributed to this client alert.