On June 30, 2026, New Jersey enacted legislation A5328 (P.L.2026, c.25), which will expose a broad swath of U.S. companies to data broker registration fees ranging from $5,000 to $1.5 million annually. The new legislation is not limited to data brokers in the conventional sense. It applies generally to any company that sells or licenses personal data of New Jersey residents, including those with direct customer relationships. Much of the law takes effect immediately, so companies should begin reviewing the requirements now to comply.

Despite its significance, the bill was introduced just days before passage and passed alongside the annual appropriations act with little public input. Although the governor’s budget proposal called for registration of data brokers, the fees anticipated in the proposal were a small fraction of those that the Legislature ultimately adopted.

Data Broker and Collector Registration

Under the new legislation, New Jersey requires annual registration of data brokers and data collectors. The law defines a “data broker” as any person or entity, including, but not limited to, a controller, that knowingly collects or purchases personal data from consumers with whom it has no direct relationship and then sells or licenses that data to a third party. The law separately defines a “data collector” as a business that collects personal data from a consumer it has a direct relationship with and sells or licenses that data to a data broker. New Jersey is the only state whose data broker law requires “data collectors” to register, making its law uniquely far-reaching.

Registration Fees

New Jersey’s annual registration fees for data brokers and collectors far exceed those in effect in any other jurisdiction. The annual fees are based on the number of New Jersey consumers whose personal data is sold or licensed in the state. Fees range from $5,000 to $1.5 million annually.

Number of New Jersey consumers whose data is sold/licensedRegistration fee
Up to 100,000$5,000
100,001 to 499,999$10,000
500,001 to 999,999$100,000
1,000,001 to 1,499,999$500,000
1,500,001 to 2,499,999$750,000
2,500,001 to 4,499,999$1 million
4,500,001 or more$1.5 million

By comparison, California’s annual registration fee is currently $6,000, and other states’ fees are lower, ranging from $100 in Vermont, to $2,500 in Connecticut.

Annual Report Information

In addition to the registration fee, data brokers and data collectors must submit the following information at least annually:

  • Name and physical, email, and internet website addresses.
  • Consumers’ ability to opt out of personal data collection, including the opt-out method, type of opt out, whether the opt out is limited to certain activities or sales, and whether a third party may opt out on an individual’s behalf.
  • Data collection, databases, or sales activities that a consumer may not opt out of.
  • Consumers’ ability to request deletion of their personal data.
  • Any credentialing process for purchasers of data and an explanation of the process.
  • History of data breaches and other cybersecurity events, including the number of individuals affected.
  • Data collection practices, databases, sales activities, and opt-out methods applicable to personal data of individuals under 18,, and whether the registrant has actual knowledge that it possesses personal data of individuals under 18.
  • The registrant’s data processors.
  • Any other information required by the Division of Consumer Affairs.

New Sensitive Data Restrictions

In addition to establishing registration requirements for data brokers and data collectors, the legislation amends New Jersey’s data privacy law and enacts new restrictions relating to sensitive data.

Under the amendments to New Jersey’s data privacy law, data controllers may “not sell sensitive data.” This prohibition applies “regardless of the number of consumers whose data the individual or entity controls or processes.” The scope of this prohibition applies to the broad definition of “sensitive data” under the data privacy law, including:

  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health condition, treatment, or diagnosis.
  • Financial information (account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account).
  • Sex life or sexual orientation.
  • Citizenship or immigration status.
  • Status as transgender or nonbinary.
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual.
  • Personal data collected from a known child.
  • Precise geolocation data.

The restriction on selling sensitive data is extended to apply to data brokers and data collectors, who are barred from selling or licensing sensitive data to any other individual or entity.

Exceptions

The law provides two categories of exceptions to the registration requirement and prohibition on selling or licensing sensitive data. Entity-level exemptions apply to Gramm-Leach-Bliley Act (GLBA)-covered institutions, insurance companies, secondary market institutions, and state agencies, and data-level exemptions apply to information governed by the Fair Credit Reporting Act (FCRA), GLBA, and the Health Insurance Portability and Accountability Act (HIPAA), publicly available information, and human subject research data.

This law also includes carve-outs clarifying when a company is not considered a data broker or data collector. A company does not qualify as either if its data brokering activity is incidental to any of the following business activities: developing or maintaining a third-party e-commerce or application platform; providing directory assistance or directory information services; providing publicly available information related to an individual’s business or profession, providing financial or real estate services, or providing alerts via alert services for health or safety purposes; or providing title and settlement services.

Deadlines

The law takes effect immediately but states that its provision regarding establishment and maintenance of a public registry of data brokers and collectors by the Division of Consumer Affairs will remain inoperative for 270 days until March 27, 2027. The law does not include any annual registration deadline, nor does it specify the reference period for determining how many consumers’ personal data a business has sold or licensed for purposes of calculating its annual fee.

Penalties

Penalties for data brokers or data collectors who fail to register, pay the annual fee, submit the required information, or update their information are up to $2,500 for each day the data broker or collector fails to register or submit the required fee or information. Violations of the prohibitions on selling or licensing sensitive data are up to $50,000 for each record sold, offered for sale, or licensed.

Why It Matters

The reach of this law is its defining feature. Any business that sells or licenses personal data collected directly from its own customers, employees, or investors in New Jersey may qualify as a “data collector” and trigger the registration and fee obligations. That could sweep in SaaS providers, marketing platforms, fintech apps, and others well outside the traditional data broker industry.

Two features compound the risk:

  • The sensitive data prohibition is strict and expensive. The ban on selling or licensing sensitive data applies to companies of any size, and the definition of “sensitive data” is broad, covering health, precise geolocation, financial credentials, biometric data, and children’s data. At $50,000 per record, a single noncompliant transaction involving a modest data set can generate potential liability in the tens of millions.
  • Key terms are undefined. The law sets no annual registration deadline and does not specify the reference period for counting the consumers whose data a business sells or licenses. Because that count determines which fee tier applies, the ambiguity creates real exposure: a company’s good-faith interpretation could be second-guessed, with penalties accruing at $2,500 per day.

Companies should not wait for the March 27, 2027, registry launch. The law’s provisions are already in effect, and the Division of Consumer Affairs is expected to issue implementing regulations that could reshape the definitions and exemptions before then.

What to Do Now

  • Determine whether the law applies. Assess whether your organization is a “data broker” or “data collector,” and whether an exception is available. Do not assume an exemption applies without careful review.
  • Audit your sensitive data flows. Identify any product or service that involves selling or licensing data within the statute’s broad sensitive data definition.
  • Prepare to register. Begin compiling the required disclosures, including breach history, opt-out mechanisms, and practices involving minors’ data.
  • Monitor the rulemaking. Watch for regulations that may clarify or shift the definitions and exemptions.

Troutman Pepper Locke will continue to monitor developments under New Jersey’s new data broker law and provide updates as the registry and implementing regulations take shape.


Troutman Pepper Locke State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation.
Chris Carlson
Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies.
Lauren Fincher
Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education.
Michael Yaghi
Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Matthew J. Berns
Drawing on his experience in senior leadership roles in the New Jersey Attorney General’s and Governor’s Offices and as a trial attorney for the U.S. Department of Justice, Matt provides an insider’s perspective when guiding clients through complex government investigations, litigation, and other actions.
Samuel E. “Gene” Fishel
Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests.
Jeff Johnson
Jeff helps clients navigate complex regulatory and litigation challenges with local, state, and federal authorities. His clients benefit from his decade of broad litigation experience, understanding of emerging state and federal regulatory issues, and strong relationships with attorneys general across the U.S. In addition to handling cases from trial through state or federal appeals, Jeff serves as amicus counsel in advancing legal rules to support his clients’ vital interests.
Jay Myers
Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs.
Zoe Schloss
Zoe represents clients in litigation and government investigations. As former deputy attorney general for the Delaware Department of Justice, she is an experienced litigator who understands the enforcement priorities that impact her clients. Zoe works with individuals and corporate entities in highly regulated industries, including financial services, health care, and energy.
Jessica Birdsong
Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology.
Sydney Goldberg
Sydney is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She has additional experience assisting with corporate transactions and finance matters.
Troy Homesley
Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
William LaRosa
Bill represents clients in complex regulatory investigations, state attorneys general matters, and enforcement proceedings, drawing on his experience as a former assistant U.S. attorney and private sector litigator in high stakes, multistate AG and regulatory matters.
Philip Nickerson
Philip represents clients in sectors such as financial, tech, real estate, and energy in a range of litigation matters. He is experienced in matters involving trade secrets, government investigations, commercial contracts, construction and product defect.
Lane Page
Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues.
Dascher Pasco
Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities.
Kyara Rivera Rivera
Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review.
Timothy Shyu
Timothy is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group.
Trey Smith
Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues.
Daniel Waltz
Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals.
Stephanie Kozol
Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department.