Data Brokers & Beyond: Navigating New Jersey’s Data Broker & “Data Collector” Registration Law
Co-authored with Kelly Brandmeyer, FPF U.S. Policy Intern
In a two-day span from June 28 to June 30, the New Jersey legislature introduced and passed A5328, amending New Jersey’s comprehensive privacy law and establishing new data broker and “data collector” registration requirements. The new data broker law has a uniquely broad scope and high financial costs. The law requires not only data brokers to register annually, but also “data collectors”—businesses that have a direct relationship with a consumer but sell personal data to data brokers. The law’s fees and penalties also extend beyond those in existing state data broker laws, with registration fees ranging as high as $1.5M annually and penalties of $2,500 per day for registration-related violations and $50,000 per record for prohibited sales of sensitive data.
Governor Sherrill approved the bill on June 30, and the law took effect immediately, except for the creation of the “data broker” and “data collector” registry by the Division of Consumer Affairs in the Department of Law and Public Safety, which will become operative 270 days after enactment. This blog post provides an overview of the bill, including the changes made to the comprehensive privacy law as well as the definitions and requirements of the new data broker registration requirements.
Comprehensive Privacy Law Amendment
This bill amends N.J. Stat. Ann. § C.56:8-166.12 (i.e., controllers’ duties) to prohibit a controller from selling sensitive data. Notably, this prohibition would apply “to all individuals or legal entities regardless of the number of consumers whose data the individual or entity controls or processes.” This means that the law’s applicability thresholds—i.e., limited scope to controllers who control or process the personal data of (1) at least 100K consumers or (2) of at least 25K consumers and who derive revenue from the sale of personal data—do not apply to this requirement, so small- and medium-sized entities who are otherwise outside the scope of the law would be subject to the prohibition. If a controller violates this provision and is either a “data broker” or “data collector” under the new data broker registration provisions (see below), then the civil penalty is $50,000 per record sold, offered for sale, or licensed. (A5328, §§ 1 & 5.)
This is consistent with a legislative trend. Maryland banned the sale of sensitive data when it passed its law in 2024. Since then, Oregon, Virginia, and Connecticut have amended their comprehensive privacy laws to ban the sale of specific types of sensitive data.
Definitions and Scope: New Data Broker Requirements
The new requirements under this bill are scoped to data brokers and data collectors.
- “Data broker” is defined as a person or entity that “knowingly collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells or licenses that data to a third party.” The definition includes an illustrative list of direct relationships, including a “past or present . . . customer, client, subscriber, or user of the person or legal entity’s goods or services.” This definition is substantially similar to the definition that Vermont’s law had prior to being amended this year. Oregon’s data broker registration law includes the closest active definition. The definition clarifies that a processor is not a third party if “disclosure of personal data to the processor is solely to process the personal data on the data broker’s or data controller’s behalf.” (A5328, § 2(a).)
- “Data Collector” is defined as “a business, or units of a business, separately or together, that knowingly: (1) collect the personal data of a consumer with whom the data collector has a direct relationship; and (2) sell or license such personal data to a data broker.” (A5328, § 2(a).)
- Existing definitions under New Jersey’s comprehensive privacy law—including consumer, de-identified data, personal data, precise geolocation data, process, processor, publicly available information, sale/sell, and sensitive data—are reproduced rather than cross-referenced. Although these definitions largely mirror those under the NJDPA, with conforming changes such as changing “controller” to “data broker or data collector,” there are a few other changes. “Sale” is defined as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration” and, unlike under the comprehensive privacy law, this definition contains no exclusion list, broadening its scope. For “de-identified data,” the contractual obligations that must be imposed on recipients of de-identified data have an added requirement that a data broker or data collector must “enforce[ ] or otherwise ensure[ ] compliance with” the contractual obligations. (A5328, § 2(a).)
Entity- and Data-Level Exemptions: Different sections of the bill have distinct exemptions.
Unique Scope. Compared to the existing and recently enacted or amended data broker registration laws in California, Connecticut, Oregon, Texas, and Vermont, this bill is unique in that it also extends to “data collectors” who have a direct relationship with consumers. Businesses that sell personal data will have to implement new monitoring and due diligence requirements to ascertain whether a recipient of that data is a data broker under New Jersey’s law.
Registration Requirements
Data brokers and data collectors engaged in selling or licensing personal data of New Jersey consumers will be required to annually register with the Division of Consumer Affairs in the Department of Law and Public Safety (“Division”), which will then establish and maintain a public registry of data brokers and data collectors. Similar to existing state data broker registration laws, registrants will have to pay a fee and provide required information with their registration application.
The registration fees are much higher than under other data broker registration laws, and they increase based on the number of New Jersey consumers whose data are collected and sold or licensed. The lower end of the spectrum is $5,000 for data brokers that sell or license (or data collectors that collect and sell or license to a data broker) the personal data of 100,000 or fewer consumers. The highest fee is $1,500,000 for entities that sell or license the personal data of 4.5 million or more consumers. Critically, the law does not specify a specific deadline or timeframe for data brokers and data collectors to register other than “annually.” The law also does not specify the relevant timeframe for determining the relevant number of consumers whose personal data are collected and sold or licensed for determining the applicable registration fee.
There are nine categories of information that a data broker or data collector must provide with its application. These include information about: the business, such as physical, email, and website addresses; opt-outs offered; consumers’ ability to delete their data; limitations on opt-outs; any credentialing process for purchasers of data; a history of data breaches and cybersecurity events affecting the business; “data collection practices, databases, sales activities, and opt-out methods that are applicable to” data of minors (under 18); anything the Division “deems appropriate” to implement; and processors who process personal data on behalf of the data broker or data collector. Compared to the existing state data broker registration laws, these disclosures are substantial—more detailed and numerous than under some of the laws, though not as intensive as California’s Delete Act.
Entity- and Data-Level Exemptions: This section of the bill includes a number of exemptions, including for: protected health information under HIPAA; financial institutions, data, and affiliates subject to GLBA; secondary market institutions; certain insurance institutions and insurance-support organizations; personal data sold by the New Jersey Motor Vehicle Commission as permitted by the federal DPPA; personal data collected, processed, sold, or disclosed by a consumer reporting agency if authorized under FCRA; state agencies and political subdivisions (or instrumentalities of political subdivisions); personal data collected, processed, or disclosed as part of research meeting certain safeguards under federal law; and national securities associations registered pursuant to the Section 15A of the Securities Exchange Act.
The bill also exempts certain activities, such as developing or maintaining a third-party e-commerce or application platform, providing 411 directory assistance or directory information services, or providing publicly available information for certain purposes. However, an entity engaged in those activities is considered a data broker if it sells or licenses data to third parties in a way that is not incidental to one of those exempted activities. There are additional exemptions for (1) nonprofits providing enrollment data reporting services on behalf of postsecondary educational institutions and (2) providing title and settlement services.
Prohibition on Selling Sensitive Data
The bill prohibits data brokers or data collectors from selling or licensing sensitive data “to any other individual or entity.” This is a broader prohibition than under the comprehensive privacy law because the relevant definition of sale lacks common exceptions for disclosure of personal data to a processor, disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer, the disclosure or transfer of personal data to an affiliate, the intentional disclosure of personal data by a consumer to the general public through a mass media channel, or the disclosure or transfer of personal data to a third party as part of a merger, acquisition, or bankruptcy. (A5328, § 3(a).)
Entity- and Data-Level Exemptions: This section is subject to a separate set of exemptions than the prior section concerning registration. These exemptions appear to be substantially similar to the ones above, apart from the absence of exemptions for certain enumerated activities such as developing or maintaining a third-party e-commerce or application platform, providing 411 directory assistance or directory information services, or providing publicly available information for certain purposes. (A5328, § 3(b).)
Enforcement
Failure to register—or failure to submit or update required information—will result in a civil penalty of $2,500 per day for a data broker or data collector, in addition to the registration fee. It is notable that these penalties are uncapped. Oregon’s data broker registration law, for example, caps annual fees at $10,000. In contrast, noncompliance with New Jersey’s registration requirement could generate up to $912,500 in fees after 365 days.
Any data broker or data collector that sells, offers for sale, or licenses sensitive data will be subject to a civil penalty of $50,000 per record sold, offered for sale, or licensed. (A5328, §§ 4 & 5.)
Construction and Rulemaking
The bill provides that the data broker and data collector requirements apply “in addition to and not in lieu of the provisions of” New Jersey’s comprehensive privacy law. Like with the comprehensive privacy law, the Director of the Division of Consumer Affairs has rulemaking authority. (A5328, §§ 6 & 7.)