WeVote

Bill

Bill

S 2316

Regulates data brokers, data collectors, and collection and dissemination of certain sensitive information.**

2026-2027 Regular Session Introduced by John McKeon and 2 co-sponsors

New Jersey would create a public data broker registry, require annual registration and fees, disclose practices, and ban selling physical or behavioral health records.

Substituted by A5328 (1R)
0
WeVote Research Nonpartisan
Bill Summary · S 2316

Overview

S 2316 (New Jersey, Session 222) would create a public registry of data brokers operating in New Jersey, require annual registration and fees, and prohibit the sale or transfer of physical or behavioral health records by data brokers. The bill defines key terms (data broker, personal identifying information, physical/behavioral health records) and establishes penalties for noncompliance.

Purpose and Intent

  • Increase transparency around data brokers by establishing a state registry and requiring periodic disclosures.
  • Protect sensitive health information by prohibiting data brokers from selling or transmitting physical health records or behavioral health records.
  • Set administrative rules and penalties to enforce compliance.

Key Provisions

  • Public Registry (Section 2a): The Division of Consumer Affairs must establish and maintain a public registry of data brokers doing business in New Jersey. Registry entries must include:
    • Data broker name and physical address
    • General email address for privacy queries
    • General website URL and a separate page for privacy policies
    • Relevant opt-out information
    • Information updated at least annually
  • Registration and Fee (Section 2b): Each data broker must annually register with the division and pay a $100 registration fee. Fees support the registry.
  • Required Disclosure at Registration (Section 2c): Brokers must submit and periodically update:
    • Contact addresses (physical, email, website)
    • Opt-out options and methods, including whether third parties can opt out on an individual’s behalf
    • Any categories of data or activities from which opt-out does not apply
    • Whether a credentialing process exists for data purchasers and a general description if applicable
    • History of data breaches/cybersecurity incidents and affected individuals
    • Separate summary of practices affecting individuals under 18 (data collection, sales, opt-out, existence of under-18 data)
    • Any additional information the division deems necessary
  • Definitions (Section 1): Clarifies terms such as:
    • Behavioral health care/record
    • Physical health care/record
    • Personal identifying information (PII) and exclusions for publicly available business/profession information
    • Division as the Division of Consumer Affairs
  • Data Broker Exemptions (Section 2d):
    • Certain activities may cause a business to be exempt from being treated as a data broker if the data collection/sales is incidental to:
    • Developing/maintaining a third-party e-commerce or app platform
    • Providing 411 directory assistance or directory information services for a telecom carrier
    • Providing publicly available information related to an individual's business or profession
    • Providing publicly available health/safety alert services
    • However, if data collection/sales is not incidental to those activities, the business remains a data broker (subject to the bill) unless exempt by other provisions.
    • Financial institutions or affiliates under Gramm-Leach-Bliley Act Title V are exempt from data broker classification.
  • Prohibition on Health Records (Section 3): Under no circumstances may a data broker sell, offer to sell, license, or otherwise transfer physical health records or behavioral health records.
  • Penalties (Section 4):
    • $50 per day for failure to register or pay the annual fee (Section 4a)
    • $50 per day for failure to submit or update required information (Section 4b)
    • $1,000 per health record sold or transmitted in violation of the health-record prohibition (Section 4c)
    • Penalties are enforced through the Division via the Penalty Enforcement Law of 1999 (Section 4d)
  • Administration (Section 5): The Director of the Division of Consumer Affairs will adopt rules/regulations as needed to implement the act.
  • Effective Date (Section 6): Act takes effect immediately, but subsections 4a and 4b (penalties for nonregistration and noncompliance with reporting) become operative 180 days after enactment.

Affected Parties

  • Data brokers operating in New Jersey (subject to registration, disclosure, and penalties).
  • Individuals whose personal identifying information could be held by data brokers, particularly those concerned with health data privacy.
  • Financial institutions or affiliates regulated under GLBA may be exempt from data-broker status.
  • Consumers seeking to understand privacy policies and opt-out options via the public registry.

Procedural and Timeline Aspects

  • Effective date: immediate enactment.
  • Penalties for nonregistration/late fees start 180 days after enactment; other penalties for failure to provide/update information or violate health-record prohibition apply from enactment.
  • Annual updates to registry information and ongoing enforcement by the Division of Consumer Affairs.

Practical Implications

  • Enhanced transparency: Consumers can access a centralized source detailing data brokers’ contact information, opt-out mechanisms, and breach histories.
  • Privacy protections: Explicit prohibition on sale of physical or behavioral health records by data brokers.
  • Administrative burden: Data brokers must implement ongoing data collection, breach reporting, and routine updates to the registry, plus comply with annual fees and disclosures.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.