New Jersey Enacts a Sweeping New Data Broker Law (A5328), Banning Sensitive-Data Sales

New Jersey Enacts a Sweeping New Data Broker Law (A5328), Banning Sensitive-Data Sales
Gov. Mikie Sherrill signed Assembly Bill A5328 on June 30, 2026, banning the sale of sensitive personal data and creating a public data-broker registry with fees up to $1.5 million and penalties up to $50,000 per record.
Information last verified on July 11, 2026. This is a developing story; we update it as the record changes.
Status: Signed and effective on June 30, 2026. The sensitive-data-sale ban and civil penalties apply immediately; the public data-broker and data-collector registry requirement takes effect March 27, 2027.
This article covers New Jersey state law. It does not address federal law or the laws of other states, which may differ.
What Happened
On June 30, 2026, New Jersey Gov. Mikie Sherrill signed Assembly Bill A5328 into law, creating one of the country's most aggressive data-broker regulatory regimes. The bill bans the sale of sensitive personal data, including health, biometric, genetic, precise geolocation, immigration status, and sexual orientation data, drawing its definition of "sensitive data" directly from New Jersey's consumer data-privacy law. The ban applies to any entity that sells such data, regardless of how many consumers' records it holds, and took effect immediately upon signing.
The law also creates a public registry that both data brokers and "data collectors" (entities with a direct consumer relationship that disclose data to brokers) must join. Registration requires an annual fee that scales with the volume of personal data an entity handles, starting at $5,000 for smaller operations and reaching $1.5 million for those holding data on more than 4.5 million consumers. The registry requirement itself takes effect March 27, 2027, giving covered entities a runway to prepare. Violations carry two distinct penalty tracks: up to $50,000 per record for illegal sensitive-data sales, and up to $2,500 per day for failing to register, pay fees, or keep registration information current.
What the Law Actually Says
A5328 builds directly on the New Jersey Data Privacy Act (NJDPA), which already gives residents rights to access, correct, and delete personal data and to opt out of targeted advertising and profiling. Rather than amend consumer-facing rights, A5328 targets the supply side: the brokers and collectors who buy, aggregate, and resell that data. The sensitive-data categories the ban covers, health conditions, biometric and genetic identifiers used to uniquely identify a person, precise geolocation, citizenship or immigration status, transgender or non-binary status, and data collected from a known child, track the NJDPA's own definition of sensitive data, so New Jersey's consumer data-privacy law and A5328 now operate as companion statutes covering the same underlying data categories from opposite directions.
The registry mechanic is not new to state privacy law. Vermont's data-broker registry, created under its Data Broker Regulation Act, requires brokers to register annually and pay a flat fee, and California, Oregon, and Texas run comparable programs. New Jersey's law departs from those models in two ways trade press has repeatedly flagged: it reaches "data collectors" with a direct consumer relationship, not just brokers who deal exclusively in third-party data, and its fee structure is tiered by data volume rather than a flat charge, with a top tier of $1.5 million that industry alerts describe as far higher than any comparable state fee. New Jersey residents already have data rights under the NJDPA; A5328 does not expand the privacy rights New Jersey residents already have so much as restrict who can lawfully traffic in the data those rights govern.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
New Jersey's law lands amid a broader, bipartisan turn against the data-broker industry. Trade publications including IAPP and Bloomberg Law have characterized it as the "costliest" data-broker law in the country to date, a characterization based on the $1.5 million top-tier fee, which is markedly higher than fees under Vermont's, Oregon's, or Texas's broker-registry statutes. We note that characterization comes from industry and legal-press coverage rather than a claim we are independently verifying against every state's fee schedule.
The law also arrives against a backdrop of federal enforcement activity. The Federal Trade Commission has pursued its own actions against location-data brokers in recent years, including the FTC's recent moves against location-data brokers, reflecting a shared regulatory concern, at both the state and federal level, that precise geolocation and health-adjacent data are uniquely sensitive when aggregated and resold. New Jersey's decision to fold "data collectors" (not just resale-only brokers) into its registry requirement is one of the more structurally significant choices in the bill, since it reaches companies that gather data directly from consumers and later license it downstream, a category that state broker registries have historically left out.
New Jersey joins a small but growing list of states running broker registries. California, which also runs a data-broker registry, and Connecticut, which enacted its own registry expansion earlier in 2026, illustrate that the trend is accelerating rather than plateauing. Whether other states adopt New Jersey's tiered-fee, collector-inclusive model, or whether it prompts industry pushback or litigation, is not yet resolved, and we are not predicting an outcome here.
How This Affects You
For New Jersey residents, A5328 does not create new individual rights to exercise; those already exist under the NJDPA. What changes is the supply side: entities that would have sold or licensed a resident's health, biometric, or precise-location data are now barred from doing so outright, with steep per-record penalties for violations.
For data brokers and data collectors operating in or targeting New Jersey, the immediate obligation is to audit whether any current data-sharing arrangements involve sensitive-data categories now banned from sale. The registry requirement is not yet active, but businesses that fall within its scope have a defined runway before the March 27, 2027 deadline to determine their fee tier and prepare registration materials. This is general information, not legal advice, and businesses with specific compliance questions should consult counsel familiar with New Jersey privacy law.
This article covers New Jersey law as of July 11, 2026. Laws and regulatory guidance can change, and this is general legal information, not legal advice. Consult a licensed New Jersey attorney for advice about your specific situation.
Related articles
- New Jersey's consumer data-privacy law
- The privacy rights New Jersey residents already have
- Vermont's data-broker registry
- California's data-broker registry
- The FTC's recent moves against location-data brokers
Last updated: 2026-07-11. This is a developing story; details verified as of 2026-07-11.
Frequently Asked Questions
When did New Jersey's data broker law take effect?
Gov. Mikie Sherrill signed Assembly Bill A5328 on June 30, 2026, and the sensitive-data-sale ban and civil penalties took effect immediately. The public data-broker registry requirement takes effect March 27, 2027.
What data can no longer be sold under New Jersey's new law?
The law bans the sale of sensitive personal data as defined by the New Jersey Data Privacy Act, including health conditions, biometric and genetic identifiers, precise geolocation, immigration status, transgender or non-binary status, sexual orientation, and data collected from a known child.
What is the penalty for selling banned sensitive data in New Jersey?
Civil penalties can reach up to $50,000 for each record sold, offered for sale, or licensed in violation of the law.
How much does data broker registration cost in New Jersey?
Annual registration fees are tiered by the volume of personal data an entity holds, starting around $5,000 for entities handling 100,000 consumers' data or fewer and reaching up to $1.5 million for entities handling more than 4.5 million consumers' data.
What happens if a data broker fails to register in New Jersey?
Entities that fail to register, fail to pay the required fee, or fail to keep registration information current can face civil penalties of up to $2,500 per day of noncompliance.
Is New Jersey the first state with a data broker registry?
No. Trade press describes New Jersey as the seventh state to enact a data-broker law, following California, Nevada, Oregon, Texas, Vermont, and Connecticut, which enacted its own registry expansion earlier in 2026.
Does A5328 apply to companies outside New Jersey?
The law applies to data brokers and data collectors that handle the personal data of New Jersey residents, regardless of where the company itself is headquartered, consistent with how the NJDPA already applies to out-of-state entities doing business with New Jersey consumers.
Does the new law change what rights New Jersey residents have over their own data?
A5328 does not create new individual consumer rights. Those rights, including access, correction, deletion, and opt-out of targeted advertising, already exist under the New Jersey Data Privacy Act. A5328 instead restricts brokers and collectors on the supply side.