WeVote

Bill

Bill

A 5328

Regulates data brokers, data collectors, and collection and dissemination of certain sensitive information.

2026-2027 Regular Session Introduced by John McKeon and 2 co-sponsors

New Jersey requires data brokers/collectors to register, disclose processing, and bans selling highly sensitive data, with penalties up to $50k per record and daily fines.

Approved P.L.2026, c.25.
0
WeVote Research Nonpartisan
Bill Summary · A 5328

Summary of Bill A5328 (New Jersey, 222nd Legislature)

Purpose and intent

  • This bill regulates data brokers, data collectors, and the collection, use, and dissemination of certain personal and sensitive information of New Jersey residents.
  • It builds on and supplements P.L.2023, c.266 (the state’s existing data privacy framework) by adding new definitions, obligations, a public registry, annual registration, and penalties for noncompliance.
  • The overarching aim is to increase transparency, limit certain high-risk data processing, and impose financial consequences for failures to comply.

Key provisions and changes

  • Expanded prohibitions on selling sensitive data

    • A data broker or data collector is prohibited from selling or licensing sensitive data (e.g., health, financial, genetic/biometric data, precise geolocation, etc.) to any other party.
    • Certain HIPAA-related, financial, and other identified exemptions continue to apply under specific conditions.
  • Definitions and scope (new section)

    • Introduces precise definitions for:
    • Consumer (New Jersey resident, acting in individual/household context)
    • Data broker and data collector (with examples of direct relationships and exclusions for government entities)
    • De-identified data, precise geolocation data, controller, processor, personal data, sensitive data, etc.
    • Clarifies who is exempt from data broker/collector status (e.g., various federal/state entities, certain financial/insurance entities, some research activities, etc.).
  • Public registry (new section)

    • The Division of Consumer Affairs must establish a public registry of data brokers and data collectors processing New Jersey consumer data.
    • Registry fields include: name, physical address, general contact emails, website URLs (general and privacy-specific), and opt-out information.
  • Registration and reporting (new section)

    • Data brokers/collectors that sell or license New Jersey consumer data must register annually with the division and pay a fee based on the number of New Jersey consumers in their scope.
    • Fee schedule ranges from $5,000 (≤100k consumers) to $1.5 million (≥4.5 million consumers) with intermediate tiers.
    • Required annual or periodic disclosures include contact details, opt-out capabilities, data deletion rights, restricted opt-out categories, credentialing processes for purchasers, breach history, age-18-and-under data handling, and processor information.
  • Penalties (new sections)

    • Civil penalties of $2,500 per day for failure to register or pay the fee, and for failure to submit/update required information.
    • Additional civil penalties of $50,000 per record sold, offered for sale, or licensed in violation of the bill’s provisions.
    • Penalties are enforceable under the state’s Penalty Enforcement Law.
  • Effective date and administrative authority

    • The act takes effect immediately, with Section 2 (registration-related provisions) remaining inoperative for 270 days after enactment to allow for rulemaking and setup.
    • The Director of the Division of Consumer Affairs is tasked with adopting implementing regulations under the Administrative Procedure Act.

Who and what would be affected

  • Affected entities: Data brokers and data collectors operating in New Jersey that sell or license consumer personal data.
  • Consumers: New Jersey residents whose personal data is processed by registered data brokers/data collectors. Provisions also address data of individuals under 18.
  • Regulatory body: Division of Consumer Affairs (Department of Law and Public Safety) enforcing the act, maintaining the registry, and issuing regulations.

Procedural and timeline notes

  • Immediate enactment possible, with 270-day delay before inoperative provisions (Section 2) fully takes effect to allow registration framework to stand up.
  • Annual registry maintenance and public disclosure of opt-out and data practices are required.
  • The act supplements and operates in addition to existing data privacy laws (P.L.2023, c.266).

This summary presents the bill’s core structure and impacts without commentary on policy merits.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.