New Jersey just created the most expensive data broker law in America.
On June 30, 2026, New Jersey Governor Mikie Sherrill signed Assembly Bill 5328 into law, creating a new data broker registry, extending obligations beyond traditional data brokers to certain “data collectors,” and establishing annual registration fees that can reach $1.5 million per year. The law also prohibits the sale or licensing of sensitive data and creates a potential $50,000-per-record penalty for violations.
This is not a routine registration law. It is a major compliance event for the data broker industry.
For years, data broker compliance in the United States was mostly about registering in a handful of states, disclosing basic business information, maintaining an opt-out page, and responding to privacy rights requests. New Jersey has raised the stakes. The state is now using the data broker registration model to impose much higher fees, more detailed disclosure obligations, and a stricter posture toward sensitive data sales.
The message is clear: if your company collects, buys, sells, licenses, enriches, appends, transfers, monetizes, or supplies personal data into the data broker ecosystem, you need to review whether the New Jersey Data Broker Law applies to you.
Why the New Jersey Data Broker Law Is So Expensive
Between the DROP Act in California and the New Jersey Data Broker Law these new regulations matters for three expensive reasons.
First, it creates the highest data broker registration fees in the country. Existing state data broker registration fees are generally in the hundreds or low thousands of dollars. New Jersey’s fee structure starts at $5,000 and rises to $1.5 million depending on the number of New Jersey consumers whose personal data is sold or licensed.
Second, it covers more than traditional data brokers. The law applies not only to businesses that collect or purchase personal data about consumers with whom they do not have a direct relationship, but also to certain “data collectors” that have a direct relationship with consumers and sell or license personal data to data brokers.
Third, it adds a serious sensitive data restriction. New Jersey’s law prohibits data brokers and data collectors from selling or licensing sensitive data, and it also amends the state’s broader consumer privacy law to prohibit the sale of sensitive data more generally, regardless of how many consumers a business controls or processes.
That combination makes New Jersey different. California is still the leader on centralized deletion requests through DROP. Connecticut is now following California’s deletion model. Vermont is adding more due diligence and bond requirements. Texas is focused on registration, notice, and security. Oregon has a registry and opt-out disclosures. Nevada has a narrower data broker opt-out structure. But New Jersey has created the most expensive registration framework in the United States.
Who Is Covered by the New Jersey Data Broker Law?
The New Jersey Data Broker Law applies to two important categories: data brokers and data collectors.
A data broker is generally a person or legal entity that knowingly collects or purchases personal data about a New Jersey consumer with whom it does not have a direct relationship and sells or licenses that data to a third party. The law says a third party does not include a processor where the disclosure is solely for processing personal data on the data broker’s or data collector’s behalf.
A data collector is a business, or units of a business, that knowingly collects personal data from consumers with whom it has a direct relationship and then sells or licenses that personal data to a data broker.
This “data collector” category is one of the most important parts of the law. It means companies cannot simply assume they are outside the law because they have a direct relationship with consumers. If they sell or license consumer personal data to a data broker, they may now have their own registration and disclosure obligations.
The New Category That Should Worry Companies: Data Collectors
Most state data broker laws focus on companies that operate in the background and do not have a direct relationship with consumers. New Jersey expands the compliance perimeter.
For example, a company may have a first-party relationship with consumers because people sign up for its app, use its website, buy its product, subscribe to its service, join its loyalty program, complete a lead form, or create an account. Under older data broker models, that direct relationship might have reduced the likelihood that the company would be treated as a traditional data broker.
New Jersey changes that analysis.
If that same company sells or licenses consumer personal data to a data broker, the company may be treated as a data collector under the New Jersey law. That could pull more businesses into the registry than many teams expect.
This matters for:
- lead generation companies;
- people-search businesses;
- data enrichment providers;
- marketing data companies;
- adtech companies;
- analytics companies that monetize audience data;
- publishers that license audience segments;
- loyalty platforms;
- ecommerce companies that transfer customer data into resale or enrichment networks;
- identity graph providers;
- mobile app companies that share device, location, or behavioral data;
- companies that sell lists, leads, segments, audiences, or appended profiles.
The practical compliance question is no longer only, “Are we a data broker?”
The better question is: Do we sell or license New Jersey consumer data into the data broker ecosystem?
What Counts as a Sale or License?
The New Jersey law uses a broad concept of sale. It generally tracks the idea of disclosure or transfer of personal data for monetary or other valuable consideration. That means companies should not limit the analysis to obvious cash-for-list transactions.
Data sharing may need review if it involves:
- audience monetization;
- lead sales;
- data licensing;
- identity resolution;
- retargeting pools;
- data co-ops;
- list rentals;
- data append services;
- lookalike modeling;
- consumer profile enrichment;
- location data transfers;
- hashed email sharing;
- mobile advertising ID sharing;
- cookie syncing and adtech identity sharing;
- “free” data exchanges that involve valuable consideration.
Adtech deserves special attention. Many businesses do not think of website tracking, pixel sharing, cookie syncing, audience uploads, or advertising integrations as data brokerage. But regulators increasingly examine whether data flows in the advertising ecosystem constitute a sale, sharing, licensing, transfer, or targeted advertising disclosure. If a company is supplying consumer data to entities that aggregate, enrich, resell, license, or otherwise monetize that data, New Jersey’s law should be part of the legal review.
New Jersey Data Broker Registration Fees
The fee structure is the headline.
New Jersey’s annual registration fee depends on the number of New Jersey consumers whose personal data the data broker possesses or whose personal data the data collector collects and sells or licenses to a data broker. The tiers are as follows:
| New Jersey Consumers Covered | Annual Registration Fee |
|---|---|
| 100,000 or fewer New Jersey consumers | $5,000 |
| More than 100,000 and fewer than 500,000 New Jersey consumers | $10,000 |
| More than 500,000 and fewer than 1 million New Jersey consumers | $100,000 |
| More than 1 million and fewer than 1.5 million New Jersey consumers | $500,000 |
| More than 1.5 million and fewer than 2.5 million New Jersey consumers | $750,000 |
| More than 2.5 million and fewer than 4.5 million New Jersey consumers | $1,000,000 |
| More than 4.5 million New Jersey consumers | $1,500,000 |
The jump between tiers matters. A company with fewer than 100,000 covered New Jersey consumers pays $5,000. A company above 500,000 but below 1 million pays $100,000. A company above 1 million pays $500,000. A company above 4.5 million pays $1.5 million.
That is a very different model from states where registration is mostly a modest administrative filing fee.
New Jersey Compared to Other State Data Broker Laws
State data broker laws are no longer moving in one direction. Each state is creating its own structure, definition, fee model, consumer request process, disclosure obligation, and enforcement regime. The comparison below shows why New Jersey is now the costliest state for data broker registration.
| State | Core Coverage | Registration Fee | Key Obligations | Major Penalties / Risk | What Makes It Different |
|---|---|---|---|---|---|
| New Jersey | Data brokers and certain data collectors that sell or license consumer data to data brokers. | $5,000 to $1.5 million annually, based on number of New Jersey consumers. | Annual registration, extensive disclosures, processor identification, breach and cybersecurity event history, opt-out/deletion disclosures, purchaser credentialing disclosures, under-18 data disclosures. | $2,500 per day for failure to register or update required information; $50,000 per record for unlawful sale, offer for sale, or licensing of sensitive data. | Most expensive fee structure in the country and first major state model to expressly regulate “data collectors” that supply data brokers. |
| California | Businesses that knowingly collect and sell personal information of consumers with whom they do not have a direct relationship. | $6,000 plus processing fee for 2026 registration, according to the California Privacy Protection Agency. | Annual registration with CalPrivacy, public registry disclosures, consumer deletion request metrics, DROP account setup, processing of DROP deletion requests. | $200 per day for failure to register; $200 per day per deletion request for failure to delete as required. | California operates DROP, a centralized deletion platform through which residents can submit deletion requests to active data brokers. Data brokers must begin processing DROP requests on August 1, 2026. |
| Connecticut | Businesses, or portions of businesses, that sell or license brokered personal data to another person. | $2,500 annual registration fee. | Registration with the Department of Consumer Protection, privacy policy obligations, disclosure requirements, future centralized deletion mechanism, and independent audits beginning in 2031. | Up to $200 per day per consumer for violations of data broker provisions. | Connecticut follows California by creating a centralized deletion mechanism, scheduled for 2028, and requires brokers to check it at least once every 45 days once deletion obligations begin. |
| Vermont | Businesses that collect and sell or license brokered personal information of consumers with whom they do not have a direct relationship. | Increasing from $100 to $900 under 2026 amendments. | Annual registration, expanded disclosures, recipient due diligence, broader definition of brokered personal information, and a $20,000 surety bond requirement beginning under the amended law. | Failure to register increases to $200 per day; incomplete filings can trigger $1,000 per day; materially incorrect information can trigger a $25,000 penalty. | Vermont was the first broad data broker law and is now adding “know your customer” style due diligence and bond requirements. |
| Texas | Business entities whose principal source of revenue is derived from collecting, processing, or transferring personal data not collected directly from the individual, subject to statutory thresholds and exemptions. | $300 registration fee and $300 annual renewal fee. | Annual registration with the Secretary of State, conspicuous website or app notice, description of categories of data processed and transferred, child-data disclosures if applicable, and comprehensive information security program. | $100 per day plus unpaid registration fees, capped at $10,000 in a 12-month period for Data Broker Act penalties; data security violations may also be treated as deceptive trade practices. | Texas is more prescriptive on security program requirements and requires a public notice that the entity is a data broker. |
| Oregon | Business entities or parts of business entities that collect and sell or license brokered personal data. | $600 renewal fee, with registration administered by the Oregon Division of Financial Regulation. | Registration, disclosure of the nature and categories of brokered personal data, opt-out method disclosures if offered, and updates when consumer opt-out methods change. | Up to $500 per violation and $500 per day for continuing violations, capped at $10,000 per calendar year. | Oregon has a registry model with opt-out transparency, but no California-style centralized deletion mechanism. |
| Nevada | Narrower data broker framework focused on entities whose primary business involves purchasing covered information about Nevada consumers with whom they have no direct relationship and selling that information. | No comparable annual public registry fee structure like New Jersey, California, Connecticut, Texas, Oregon, or Vermont. | Data brokers must provide a designated request address and honor verified requests directing the broker not to sell covered information. | Enforcement exists under Nevada privacy law, but the model is narrower than full registry states. | Nevada regulates data broker opt-out rights but does not operate like the major registration-fee states. |
What Information Must Be Submitted in New Jersey?
Registration is not just a payment. Data brokers and data collectors must provide extensive information to the New Jersey Division of Consumer Affairs.
The required registration information includes, among other items:
- the data broker’s or data collector’s name;
- primary physical address;
- email address;
- website address;
- whether individuals may opt out of collection practices;
- how opt-out requests can be submitted;
- whether the opt-out is limited to certain activities or sales;
- whether individuals can authorize a third party to opt out on their behalf;
- whether individuals can request deletion of personal data;
- data collection, database, or sales activities from which consumers may not opt out;
- whether the company uses a credentialing process for data purchasers;
- a general explanation of the purchaser credentialing process, if used;
- a history of data breaches and other cybersecurity events affecting personal identifying information;
- a separate statement about data collection, databases, sales activities, and opt-out methods applicable to persons under 18;
- whether the company has actual knowledge that it possesses personal identifying information of persons under 18;
- processors that process personal data on behalf of the data broker or data collector.
These disclosures are important because they force companies to document more than corporate identity. New Jersey is asking for a practical map of how the business collects, sells, licenses, protects, and responds to requests involving personal data.
The Sensitive Data Ban Is a Major Enforcement Risk
New Jersey’s new law does more than create a registry. It prohibits a data broker or data collector from selling or licensing sensitive data to any other individual or entity, subject to certain exemptions. The law also amends New Jersey’s consumer privacy statute to prohibit the sale of sensitive data more broadly, regardless of the number of consumers whose data the individual or entity controls or processes.
The penalty is severe: $50,000 for each record sold, offered for sale, or licensed in violation of the sensitive data prohibition.
For data brokers, this should trigger an immediate sensitive data review.
Companies should examine whether they sell, license, offer, append, enrich, or transfer data that may reveal or include sensitive information, including categories such as health information, precise geolocation, biometric data, genetic data, information about children, immigration or citizenship data, race or ethnic origin, religious beliefs, sexual orientation, gender identity, financial account information, government identifiers, and other categories treated as sensitive under applicable law.
The legal risk is not theoretical. A per-record penalty can become catastrophic quickly. A dataset with 1,000 problematic records could create a theoretical exposure of $50 million. A dataset with 10,000 problematic records could create a theoretical exposure of $500 million. A large-scale sensitive data product could create existential risk.
When Does the New Jersey Data Broker Law Take Effect?
The New Jersey law took effect immediately when signed, except that the registry provisions are inoperative for 270 days after enactment. Because the law was approved on June 30, 2026, the registry timing points to March 27, 2027.
Companies should not wait until the registry opens. The work required to determine whether the law applies, identify New Jersey consumer volumes, map data flows, analyze sensitive data, classify recipients, review contracts, build request-handling procedures, and prepare registration disclosures can take months.
How Data Brokers Should Comply With the New Jersey Data Broker Law
Data brokers should treat New Jersey as a full compliance project, not a one-time filing.
1. Determine whether you are a data broker or data collector.
Start with a legal classification exercise. Review whether the company collects or purchases personal data about New Jersey consumers with whom it has no direct relationship and sells or licenses that data. Then separately analyze whether the company has a direct consumer relationship but sells or licenses personal data to data brokers.
2. Map all New Jersey consumer data.
Identify where New Jersey consumer data is collected, purchased, appended, stored, enriched, sold, licensed, transferred, or disclosed. This should include CRM systems, data warehouses, adtech tools, data clean rooms, identity graphs, lead systems, APIs, vendor platforms, partner exports, data feeds, and offline files.
3. Count New Jersey consumers by tier.
The registration fee depends on the number of New Jersey consumers whose personal data is possessed, collected, sold, or licensed under the applicable tier. That makes population counting a financial control issue. Data brokers need a defensible methodology for counting New Jersey consumers and documenting the basis for the selected fee tier.
4. Identify all sales and licenses.
Create an inventory of all recipients that receive personal data for monetary or valuable consideration. Do not limit the review to obvious data sales. Include audience transfers, marketing data licenses, lead sales, enrichment feeds, data co-ops, data partnerships, and adtech arrangements.
5. Screen all recipients for data broker status.
Because the law creates obligations for data collectors that sell or license data to data brokers, companies need to understand whether recipients are data brokers. That requires due diligence, contract review, registry checks, questionnaires, and ongoing vendor governance.
6. Conduct a sensitive data audit.
Identify whether any datasets, fields, segments, inferences, profiles, or audiences include sensitive data. Pay special attention to precise location, health interests, financial hardship, children’s data, government identifiers, biometrics, genetic information, race, ethnicity, religious inference, sexual orientation, immigration status, and other sensitive attributes.
7. Stop prohibited sensitive data sales.
If sensitive data is being sold, offered for sale, licensed, or made available through a product, feed, segment, API, or partner relationship, evaluate whether it must be stopped, segregated, suppressed, or restructured. The $50,000-per-record penalty makes this a board-level risk.
8. Prepare registration disclosures.
New Jersey requires information about opt-outs, deletion rights, purchaser credentialing, breaches, cybersecurity events, under-18 data, and processors. These disclosures should be accurate, consistent with public privacy notices, and supported by internal documentation.
9. Review opt-out and deletion processes.
Data brokers should be prepared to disclose whether consumers can opt out and whether consumers can request deletion. The company should ensure that public privacy rights workflows, internal ticketing, verification rules, suppression processes, and downstream deletion instructions are operational.
10. Automate subject rights and removal requests.
Data brokers are likely to see more consumer rights requests and third-party authorized agent requests from services such as PrivacyHawk, Incogni, DeleteMe, and Cloaked. Manual processing creates labor cost, inconsistency, missed deadlines, and enforcement risk. An automated DSAR and subject rights request platform can help route, verify, track, document, and fulfill deletion and opt-out requests at scale.
Captain Compliance’s subject rights request automation software helps companies automate data access, deletion, opt-out, and removal workflows so legal and compliance teams are not forced to manage large volumes of requests manually. For data brokers, this can reduce legal exposure, lower staffing costs, improve audit readiness, and create a defensible record of compliance.

Why Data Broker Removal Requests Are About to Become More Expensive
Data broker compliance is moving from static registration to operational request fulfillment.
California’s DROP platform allows California residents to submit a deletion request to active data brokers through a centralized system, and data brokers must begin processing DROP requests on August 1, 2026. California requires data brokers to process DROP requests at least once every 45 days and report request status through the platform.
Connecticut is building a similar centralized deletion mechanism, with implementation required by July 1, 2028 and deletion obligations beginning October 1, 2028. Registered data brokers will need to access the mechanism at least once every 45 days.
New Jersey does not currently create a California-style centralized deletion portal. But it does require disclosure of whether individuals can direct deletion of personal data and whether individuals can authorize third parties to opt out on their behalf.
The result is obvious. Data brokers need a request-handling program that works across multiple states, multiple definitions, multiple request types, and multiple authorized agent channels.
That includes requests from consumers directly, privacy agents, removal companies, attorneys, and automated rights platforms. A company that receives thousands or tens of thousands of deletion and opt-out requests cannot rely on spreadsheets, shared inboxes, and manual identity matching. That approach increases the risk of missed deadlines, inconsistent responses, deletion failures, and poor audit trails.
Who Is Most at Risk Under the New Jersey Data Broker Law?
The highest-risk companies are not limited to traditional list brokers.
Companies should review New Jersey exposure if they operate in:
- data brokerage;
- people search;
- background data;
- lead generation;
- data enrichment;
- identity resolution;
- location intelligence;
- adtech;
- marketing analytics;
- audience segmentation;
- consumer profiling;
- data licensing;
- alternative data;
- credit-adjacent data products;
- risk scoring;
- fraud detection data products;
- mobile app monetization;
- publisher audience monetization;
- retail media data sharing;
- data co-ops and consortiums.
Companies that collect information directly from consumers should be especially careful. New Jersey’s “data collector” concept means that first-party data collection does not automatically end the analysis if the company sells or licenses personal data to data brokers.
Common Mistakes Data Brokers Should Avoid
Mistake 1: Assuming registration is cheap because it is cheap in other states.
That assumption is now wrong. New Jersey’s fee structure is materially different from California, Connecticut, Texas, Oregon, Vermont, and Nevada. A company that treats registration as a small administrative task may be surprised by a six- or seven-figure annual fee.
Mistake 2: Assuming a direct consumer relationship means the law does not apply.
New Jersey’s data collector category changes the analysis. A business with a direct relationship may still be covered if it sells or licenses personal data to a data broker.
Mistake 3: Ignoring adtech and audience data flows.
Advertising data transfers, hashed identifiers, cookie syncing, audience uploads, and identity resolution arrangements should be reviewed. The fact that a transfer occurs through a marketing stack does not automatically make it irrelevant to data broker compliance.
Mistake 4: Not knowing whether recipients are data brokers.
If you sell or license data to another company, you need to know who they are, what they do with the data, whether they are registered where required, whether they resell or license data, and whether they qualify as a data broker under New Jersey law.
Mistake 5: Treating sensitive data as just another dataset.
The $50,000-per-record penalty changes the economics of sensitive data. Sensitive data inventory, suppression, contractual restrictions, and product review should become immediate priorities.
Mistake 6: Handling deletion and opt-out requests manually.
Manual workflows are not built for the next wave of data broker compliance. With California DROP, Connecticut’s future deletion mechanism, authorized agents, and third-party removal services increasing request volume, automation is becoming a compliance necessity.
What Data Brokers Should Do To Be Compliant (Use Captain Compliance’s DSAR Software)
Data brokers should begin with a practical compliance review focused on New Jersey exposure.
A strong review should answer:
- Do we collect or purchase personal data about New Jersey consumers with whom we do not have a direct relationship?
- Do we sell or license that data to third parties?
- Do we collect personal data directly from consumers and sell or license it to data brokers?
- How many New Jersey consumers are in our datasets?
- Which registration fee tier applies?
- Do we sell, offer for sale, or license sensitive data?
- Which vendors, partners, customers, and recipients receive personal data?
- Are any recipients data brokers?
- Do we have a defensible opt-out and deletion process?
- Can we handle authorized agent requests?
- Can we process requests from PrivacyHawk, Incogni, DeleteMe, Cloaked, and similar removal services?
- Do we maintain records showing how requests were verified, routed, completed, denied, or escalated?
- Do our public privacy notices match our actual data practices?
- Can we produce the registration disclosures New Jersey requires?
New Jersey Has Changed the Cost of Data Broker Compliance
New Jersey’s law is a warning sign for the entire data broker industry.
The old model was registration, basic disclosure, and reactive response handling. The new model is more expensive, more operational, more state-specific, and more sensitive-data focused.
For small data brokers, New Jersey’s minimum $5,000 fee may still be manageable. For mid-market data brokers, the jump to $100,000 or $500,000 can change the economics of doing business in the state. For large data brokers, the $1.5 million annual fee is no longer a privacy paperwork issue. It is a major budget item.
And the fee is only one part of the risk. The larger issue is whether the company can prove what it collects, where it came from, who receives it, whether it includes sensitive data, how consumers can opt out, how deletion requests are handled, and whether its registrations are accurate.
That is where many companies are exposed.
Schedule a Data Broker Compliance Review
If your company sells, licenses, enriches, appends, transfers, or monetizes consumer data, now is the time to review whether the New Jersey Data Broker Law applies.
Captain Compliance can help data brokers and data collectors assess registration obligations, map data sales and licensing flows, review sensitive data risk, evaluate opt-out and deletion processes, and automate subject rights request handling.
Schedule a data broker compliance review to understand your New Jersey exposure and prepare your privacy program before registration obligations and enforcement risk become more expensive.