New Jersey Establishes New Framework for Data Collectors

Businesses managing consumer information face a major reset in state policy as the new NJ Data Broker Law takes effect. Assembly Bill 5328/Chapter 25, recently passed and signed in New Jersey, creates a comprehensive regulatory framework for entities dealing with personal data. Notably, this law impacts businesses far beyond traditional data brokers by introducing a novel definition of a data collector. This legislation drastically alters compliance requirements for data driven industries by prohibiting the sale of sensitive data and mandating an annual registry.

Defining Data Brokers and Collectors

  • The Traditional Data Broker: Historically, laws targeted data brokers, defined as entities that collect personal data without a direct consumer relationship and sell it to third parties.
  • The Novel Data Collector: New Jersey is unique because it also regulates data collectors. A data collector is classified as a business that maintains a direct relationship with the consumer but still collects and sells or licenses that personal data to a data broker.
  • Direct Relationship Criteria: Simply collecting data directly from users is no longer sufficient to bypass scrutiny under these new definitions.

Registry Fees and Compliance Rules

  • Sensitive Data Restrictions: The law imposes a blanket prohibition on selling sensitive data. This prohibition applies to all individuals or legal entities regardless of how many consumers they process.
  • Public Registry Mandate: The Division of Consumer Affairs must establish a public registry for all covered data brokers and collectors doing business in the state.
  • Tiered Registration Costs: Annual fees are scaled based on consumer volume. Operations with 100,000 or fewer consumers pay $5,000, while the maximum fee reaches $1.5 million for processing data of over 4.5 million consumers.

Broader State Privacy Law Context

Because a uniform federal privacy standard remains absent, individual states continue to implement distinct statutory frameworks. For comparison, under California’s Delete Act passed last year residents can submit a single, global request for all registered data brokers to delete their personal information, and covered businesses must begin retrieving and honoring these DROP requests by August 1, 2026, or face steep fines. Connecticut enacted sweeping legislation, SB 4/Public Act 26-64, in May 2026 that establishes a comprehensive data broker registry, restricts the sale of precise geolocation data, and lays the groundwork for its own accessible deletion mechanisms. Similarly, Vermont updated its pioneer registry laws with the enactment of SB 71/Act 145 in June 2026, expanding the definition of brokered personal information and requiring stringent new purchaser credentialing procedures, effectively creating a “know-your-customer” obligation for data transfers. However, New Jersey’s unique incorporation of first-party data collectors introduces an independent legislative strategy that expands regulatory scope beyond these other state models. While much of the law took effect immediately, covered entities must prepare for the New Jersey registry provisions to take effect on March 27, 2027.

FOCUS will continue to monitor developments on data broker legislation across the country.

by Austin Young 7/13/26