If your business collects, buys, or sells customer data, add a new data broker law to your list. This one, in New Jersey (New Jersey's Assembly Bill 5328), had immediate effect when it was passed on June 30, 2026. New Jersey joins California, Texas, Oregon, and Vermont as states with laws aimed at data brokers.
Under the law, there are requirements for two types of businesses: data brokers and data collectors. A data broker is defined as those that collect or purchase personal data from New Jersey residents in their personal (household capacity) with whom the company has no direct relationship, and then sell or license that data to a third party. A data collector, on the other hand, is a business that gathers personal data directly from its own (New Jersey) customers and then sells or licenses that information to a data broker.
Unlike other states, New Jersey will maintain a registry that lists not only data brokers, but data collectors as well. Under the law, both entities must register annually and pay a fee. Fees are assessed based on a sliding scale. Although the registration obligations are effective immediately, the public registry will not be available until March 2027. Once live, the registry will include, among other things, links to companies’ privacy policies and opt-out information. Covered companies will also need to disclose if they have had a data breach (this will be disclosed to the regulator, but not on the public registry). There will be a $2,500 per day civil penalty for failure to register.
In addition to being a law aimed at data brokers, AB5328 also amends New Jersey’s privacy law, broadening a restriction that formerly applied to entities that met certain thresholds. Now, as amended, all companies (regardless of thresholds) are prohibited from selling or licensing sensitive personal data. Sensitive data includes health and medical information, financial account details, precise geolocation data, immigration status, biometric data, and any data collected from children. Under the law, companies that sell, offer for sale, or license sensitive personal data in violation of the law may be subject to a civil penalty of $50,000 for each record involved in the violation.
Putting it into Practice: This law is a reminder of the focus regulators are placing on companies that sell or license personal information. Companies should review whether their activities meet the definition of data broker or data collector, prepare for upcoming registration requirements, and keep in mind the prohibitions surrounding sensitive information.