New Jersey’s A5328: The Data Broker Law That Comes for Companies With Direct Consumer Relationships

Table of Contents

Being framed as the most dangerous data broker law for business owners who do not consider themselves data brokers yet will share in serious financial and regulatory risk for non-compliance. For as long as state data broker laws have existed, one defense has been near-bulletproof: the direct relationship. If the consumer came to you — filled out your form, signed up for your service, became your customer — you weren’t a “data broker.” California built its law that way. Vermont, Texas, and Oregon followed the same basic logic. Lead generators, in particular, have leaned on that structure for years: the consumer submits the form, a direct relationship is formed, and the broker rules stay on the other side of the fence.

New Jersey just moved the fence and Captain Compliance is here to help get your business compliant, registered, and automate Data Broker Compliance Laws.

On June 30, 2026, Governor Mikie Sherrill signed A5328 into law, with most provisions taking effect immediately. It’s already being called the costliest data broker law in the country, and for once the hype undersells it. A5328 doesn’t just regulate data brokers — it creates an entirely new registrant category, the “data collector,” designed specifically to capture businesses that do have a direct relationship with the consumer and sell that data downstream.

If your business model involves collecting consumer data and monetizing it through sale or licensing — lead generation being the most obvious example — this law was written with you in mind.

The familiar definition — and the trap behind it

A5328’s definition of a “data broker” looks like the ones you already know: an entity that collects or purchases personal data about consumers with whom it has no direct relationship, and then sells or licenses that data. The law is even generous about what counts as a direct relationship, spelling out that past or present customers, subscribers, and users of your goods or services qualify, along with employees, contractors, agents, investors, and donors.

Under that definition alone, the lead-gen playbook survives. Consumer fills out the form, consumer becomes a user, direct relationship established, broker status avoided.

But New Jersey wrote a second definition, and it’s the one that changes everything. A “data collector” is a business that collects personal data from consumers it does have a direct relationship with — and then sells or licenses that data to a data broker.

Read that against a typical lead funnel. The consumer submits your form. You have your direct relationship. You then sell that lead to a buyer, an aggregator, or a network. If anyone in that downstream chain meets the data broker definition, you’re a data collector under New Jersey law — and New Jersey is the first and only state that requires data collectors to register at all.

The direct relationship no longer keeps you out of the regime. It’s the very thing that places you in the second bucket. The question that used to be a footnote in due diligence — “is our buyer technically a data broker?” — is now the entire analysis.

Registration fees that scale into seven figures

Both data brokers and data collectors must register, and the fee schedule is tiered by volume, not by whether you’re a small operation. It starts at $5,000 per year for entities touching the data of 100,000 New Jersey consumers or fewer — and there’s no exemption floor below that threshold. Sell any qualifying data and the registration obligation attaches. At the top of the range, the annual registration fee climbs to $1.5 million.

That’s not a penalty. That’s the recurring cost of legally operating and on top of this there is the NJ Data Protection Law as well and this just covers the state of New Jersey not the other states with data broker laws and states with data protection laws that you must comply with.

The public-facing registry goes live on March 27, 2027, but the substantive obligations attach now. That gap matters: once the registry is public, it becomes a research tool for regulators and plaintiffs’ attorneys alike. Businesses that should have registered and didn’t will be conspicuous by their absence — and businesses that did register will have publicly declared what they do with consumer data.

The sensitive data ban: no consent, no cure, no exceptions

The registration fees are the part of A5328 you can budget for. The sensitive data provision is the part you can’t.

The law states flatly that in no case shall a data broker or data collector sell or license sensitive data to any other individual or entity. There is no consent mechanism, no disclosure workaround, no opt-in pathway. The sale is simply prohibited.

And “sensitive data” under A5328 is expansive. It covers racial or ethnic origin, religious beliefs, mental or physical health conditions (including treatment and diagnosis), sex life or sexual orientation, citizenship status, transgender or non-binary status and gender identity — and financial information, which the law defines to include an account number, account login, or card number combined with any required security or access code.

That financial category is where a lot of ordinary lead-gen suddenly gets dangerous. Think about what actually flows through a mortgage lead form, an insurance quote request, or a debt-relief inquiry. Health conditions on life insurance leads. Financial details on lending leads. Data points that were routine yesterday are categorically unsellable today.

The penalty structure is what turns this from a compliance issue into an existential one: up to $50,000 per record. Not per incident. Not per breach. Per record. A single list of ten thousand leads containing a sensitive data element carries theoretical exposure of half a billion dollars.

What to do now

You don’t need a six-month remediation project to know whether you have a problem. You need to answer two questions about your three largest lead-buyer or data-purchaser relationships.

First: is the buyer — or anyone the buyer resells to — a data broker under New Jersey’s definition? Remember that your own status as a data collector turns entirely on the downstream chain, not on your own relationship with the consumer.

Second: does the data you pass along, or the data captured on your forms before any filtering, include anything on New Jersey’s sensitive data list? Pay particular attention to health-adjacent fields, financial account details, and any demographic data collected for matching or scoring purposes.

If you can answer both questions confidently in five minutes, you’re ahead of most of the market. If you can’t, that uncertainty is the exposure. The registration fee is a known, calculable cost of doing business. The sensitive-data penalty is the cost of not knowing what’s in your own funnel — and it compounds per record.

The bigger picture

A5328 is a signal, not an outlier. State legislatures have watched businesses structure around the “direct relationship” carve-out for years, and New Jersey just demonstrated how easy it is to legislate around the workaround. Expect other states to borrow the data collector concept — the drafting work has now been done for them.

Whether your operation lands in the data broker bucket, the data collector bucket, or genuinely neither is a determination worth making deliberately, on your own timeline — not after March 27, 2027, when the registry goes public and someone else makes the determination for you.

Not sure which bucket your business falls into under A5328? Captain Compliance helps companies map their data flows, classify their obligations under state data broker and privacy laws, and close the gaps before regulators or plaintiffs find them. Get in touch for a compliance assessment and audit by booking a demo below.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.