Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 12, 2026 · 6 min read

New Jersey's $1.5M Data Broker Law Is Now in Effect

A5328, signed June 30, 2026 and effective the same day, is the first state law to regulate "data collectors" alongside data brokers—with registration fees up to $1.5 million a year, an outright ban on selling sensitive data, and penalties of $2,500 per day plus $50,000 per record.

Most state data broker laws share a quiet loophole: they only regulate companies with no direct relationship to the consumer whose data gets sold. A retailer that collects your email at checkout and later licenses it to a broker was, in most states, someone else's problem. New Jersey just closed that loophole, and attached the highest registration fees and per record penalties in the country to doing so.

New Jersey's governor signed A5328, formally P.L.2026, c.25, into law on June 30, 2026, and nearly all of it took effect the same day. There was no grace period, no comment window, no phase in for the sensitive data sales ban. Companies that sell New Jersey residents' data found themselves regulated before most of their legal teams had finished reading the bill.

Key Takeaways

  • New Jersey's A5328 took effect June 30, 2026, and requires both "data brokers" and, uniquely, "data collectors" to register with the state.
  • Registration fees scale up to $1.5 million per year for the largest data brokers and collectors, with the top tier triggered at just 100,000 New Jersey consumers.
  • The law bans selling or licensing "sensitive data" (health, precise location, financial credentials, biometric, and children's data) outright, with penalties up to $50,000 per record.
  • Registration and reporting violations carry civil penalties of up to $2,500 per day, more than ten times California's $200 a day maximum.
  • The state's public data broker registry does not launch until March 27, 2027, but the registration duty and the sensitive data ban are already enforceable.

What Does New Jersey's A5328 Require?

A5328 requires any company that meets the state's data broker or data collector thresholds to register annually with the New Jersey Division of Consumer Affairs, disclose their data practices—including breach history, opt out mechanisms, and how they vet the third parties buying their data—and pay a registration fee tied to volume. Separately, and effective immediately regardless of registration status, the law prohibits selling or licensing "sensitive data" as defined under the statute. According to Regulatory Oversight's analysis, the public facing registry itself won't go live until March 27, 2027—270 days after enactment—but the underlying legal obligations to register and to stop selling sensitive data are already in force.

What's the Difference Between a Data Broker and a Data Collector?

A data broker, in the traditional sense used by California, Vermont, Texas, and Oregon's existing laws, is an entity that collects or buys personal data from consumers it has no direct relationship with, then resells or licenses it. A data collector, the category New Jersey invented, is a business that does have a direct relationship with its customers—a retailer, an app, a loyalty program—but that later sells or licenses that first party data to a data broker. IAPP's coverage confirms New Jersey is the only state whose data broker law reaches this second category, meaning a company can trigger registration obligations purely by monetizing its own customer list through a third party broker relationship, even if it never buys or resells anyone else's data.

How Much Could Violations Cost?

The fee structure alone sets New Jersey apart. Registration fees scale from roughly $5,000 for smaller operations up to $1.5 million annually once a broker or collector crosses the largest consumer volume tier—a tier that starts at just 100,000 New Jersey residents, according to Troutman's regulatory analysis. For comparison, California's flat annual registration fee is $6,000—meaning New Jersey's top tier is roughly 250 times more expensive.

Penalties compound that gap: registration and reporting violations carry civil penalties up to $2,500 per day, more than twelve times California's $200 a day ceiling, and more than 25 times Texas's $100 a day maximum. Sell a batch of sensitive records in violation of the outright ban, and the exposure jumps to $50,000 per record—a structure that can turn one careless data transfer into a penalty in the tens of millions.

The New Jersey State House in Trenton with its golden dome at dusk, photographed from a low angle under a dramatic sky

Why Email Users Should Care

A5328 targets companies, not individual inboxes, but the personal data it regulates is often the same data that fills your inbox with unsolicited marketing. Email addresses, purchase history, and behavioral profiles collected through a retailer's checkout flow or loyalty program are precisely the kind of first party data New Jersey now treats as regulated "data collector" activity the moment it's sold or licensed onward. That's a meaningful shift: a company that only ever emails you directly was largely outside data broker regulation until now.

For consumers, the practical effect is indirect but real. Companies facing $1.5 million registration fees and $2,500 a day penalties have a sharp new incentive to audit exactly which vendors receive their customer email lists—and some will simply stop selling that data rather than register. Compliance teams reviewing vendor contracts this quarter should expect email marketing platforms and list rental partners to be squarely inside the conversation, alongside the more obvious data broker relationships.

How Does This Compare to Other State Laws?

New Jersey now sits well outside the norm set by Connecticut's SB4, California's data broker registry and Delete Act, Vermont, Texas, and Oregon. Every one of those states caps registration fees in the low hundreds to low thousands of dollars and daily penalties at $50 to $500. New Jersey's minimum penalty tier alone exceeds most other states' maximums, and its data collector category has no direct analog anywhere else in the country—a distinction that data broker researchers have flagged as the industry's biggest transparency gap for years.

What Should Compliance Teams Do Now?

The immediate effective date means there is no runway. Compliance officers should inventory every vendor relationship where customer data—including email lists—flows to a third party that resells or licenses it, determine whether that activity crosses the data collector threshold, and confirm no sensitive data categories are being sold under any existing contract, since that ban carries no registration workaround. Exemptions exist for GLBA covered financial institutions, insurers, and entities already governed by FCRA or HIPAA, but they are narrower than the equivalent carve outs in other states, so assuming an exemption applies without checking the statutory text is a risk in itself—the official bill text is the place to verify.

Given the March 2027 registry launch is still ahead, this is also the window to get processes and documentation in order before New Jersey's Division of Consumer Affairs starts publishing who has—and hasn't—registered.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.