惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Google DeepMind News
Google DeepMind News
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
G
Google Developers Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
D
DataBreaches.Net
博客园 - Franky
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Last Week in AI
Last Week in AI
NISL@THU
NISL@THU
T
Tailwind CSS Blog
博客园 - 【当耐特】
P
Privacy International News Feed
I
InfoQ
L
LINUX DO - 热门话题
H
Help Net Security
博客园 - 叶小钗
aimingoo的专栏
aimingoo的专栏
AWS News Blog
AWS News Blog
Scott Helme
Scott Helme
Cyberwarzone
Cyberwarzone
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Forbes - Security
Forbes - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
WordPress大学
WordPress大学
T
Troy Hunt's Blog
Spread Privacy
Spread Privacy
V
V2EX
Cloudbric
Cloudbric
Security Latest
Security Latest
H
Heimdal Security Blog
S
Securelist
I
Intezer
F
Full Disclosure
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
小众软件
小众软件
Security Archives - TechRepublic
Security Archives - TechRepublic
L
Lohrmann on Cybersecurity
S
Schneier on Security
C
Cybersecurity and Infrastructure Security Agency CISA

Future of Privacy Forum

Navigating Cross-Border Data Transfers in the ASEAN Region: An Analysis of Developments from 2023 to 2026 FPF Submits Comments to Inform California Children’s Social Media Protections Rulemaking Process Mandating “Evidence-Based” Suicide Detection in Chatbots FPF Hosts Frontiers Workshop on Privacy, AI, and Emerging Infrastructure FPF’s 2026 DC Privacy Forum: Leading Voices in AI, Privacy and Emerging Technology Understanding Data Embassies and Corridors Perseverance Pays Off for Vermont Privacy Efforts Future of Privacy Forum Announces 2026 Career Achievement Award Recipients - Future of Privacy Forum Future of Privacy Forum Releases Comprehensive Report On Algorithmic Personalization in Youth Online Experiences Frontier AI Goes Federal: How the Great American AI Act Compares to State Laws Privacy Becomes You, Bayou State: A Look at the Louisiana Data Privacy Act Comparing Enacted App Store Accountability Acts - Future of Privacy Forum No Silver Bullet, But a Silver Lining? PETs and International Data Transfers Career Choice in the AI Age: What Next for Privacy and Data Professionals? FPF Releases Practitioner Guides on Privacy Enhancing Technologies for Education Stakeholders SB 5 in Five: What to Know About Connecticut’s New AI Law Third Time’s the Charm: Connecticut Enacts Annual Privacy Update - Future of Privacy Forum Colorado Revises Its AI Act: What Changed and Why The EU Commission’s Approach to Age Verification: Mobile Apps, DSA Enforcement, and Challenging National Social Media Bans Taking stock: The Impact of the India AI Impact Summit 2026 The New(ish) Architecture of Consumer Health and Artificial Intelligence Celebrating Another Year of Privacy and AI Governance: FPF at the 2026 IAPP Global Summit - Future of Privacy Forum Adapting the Privacy Profession to Changing Times More Parties, More Risks, More Opportunity? Evolving Governance to Support Cyber Resilience Amidst Evolving Policy and Technological Change Contextualizing the Proposed SECURE Data Act in the State Privacy Landscape FPF on the Securing and Establishing Consumer Uniform Rights and Enforcement Over Data ("SECURE Data") Act The Alabama Personal Data Protection Act Brings Consumer Privacy to the Heart of Dixie The Price is Right: Responsible Uses of Personal Data in Pricing Red Lines under the EU AI Act: Restricting Real-time Remote Biometric Identification Systems for Law Enforcement Purposes The Rest of the West: Oregon and Washington Build on California Chatbot Law Red Lines under the EU AI Act: Understanding the prohibition of biometric categorization for certain sensitive characteristics 2026 Chatbot Legislation Tracker Red Lines under EU AI Act: Unpacking the prohibition of emotion recognition in the workplace and education institutions Privacy Protections Coming Sooner Rather Than Later to the Sooner State Navigating Autonomy and Privacy in Emerging AgeTech: Insights from the FPF Roundtable Incentives or Obligations? The U.S. Regulatory Approach to Voluntary AI Governance Standards Red Lines under the EU AI Act: Understanding the ban of the untargeted scraping of facial images and facial recognition databases
Data Brokers & Beyond: Navigating New Jersey’s Data Broker & “Data Collector” Registration Law - Future of Privacy Forum
https://www.facebook.com/FutureofPrivacy · 2026-07-10 · via Future of Privacy Forum

Co-authored with Kelly Brandmeyer, FPF U.S. Policy Intern

In a two-day span from June 28 to June 30, the New Jersey legislature introduced and passed A5328, amending New Jersey’s comprehensive privacy law and establishing new data broker and “data collector” registration requirements. The new data broker law has a uniquely broad scope and high financial costs. The law requires not only data brokers to register annually, but also “data collectors”—businesses that have a direct relationship with a consumer but sell personal data to data brokers. The law’s fees and penalties also extend beyond those in existing state data broker laws, with registration fees ranging as high as $1.5M annually and penalties of  $2,500 per day for registration-related violations and $50,000 per record for prohibited sales of sensitive data. 

Governor Sherrill approved the bill on June 30, and the law took effect immediately, except for the creation of the “data broker” and “data collector” registry by the Division of Consumer Affairs in the Department of Law and Public Safety, which will become operative 270 days after enactment. This blog post provides an overview of the bill, including the changes made to the comprehensive privacy law as well as the definitions and requirements of the new data broker registration requirements.

Comprehensive Privacy Law Amendment

This bill amends N.J. Stat. Ann. § C.56:8-166.12 (i.e., controllers’ duties) to prohibit a controller from selling sensitive data. Notably, this prohibition would apply “to all individuals or legal entities regardless of the number of consumers whose data the individual or entity controls or processes.” This means that the law’s applicability thresholds—i.e., limited scope to controllers who control or process the personal data of (1) at least 100K consumers or (2) of at least 25K consumers and who derive revenue from the sale of personal data—do not apply to this requirement, so small- and medium-sized entities who are otherwise outside the scope of the law would be subject to the prohibition. If a controller violates this provision and is either a “data broker” or “data collector” under the new data broker registration provisions (see below), then the civil penalty is $50,000 per record sold, offered for sale, or licensed. (A5328, §§ 1 & 5.)

This is consistent with a legislative trend. Maryland banned the sale of sensitive data when it passed its law in 2024. Since then, Oregon, Virginia, and Connecticut have amended their comprehensive privacy laws to ban the sale of specific types of sensitive data. 

Definitions and Scope: New Data Broker Requirements

The new requirements under this bill are scoped to data brokers and data collectors.

  • “Data broker” is defined as a person or entity that “knowingly collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells or licenses that data to a third party.” The definition includes an illustrative list of direct relationships, including a “past or present . . . customer, client, subscriber, or user of the person or legal entity’s goods or services.” This definition is substantially similar to the definition that Vermont’s law had prior to being amended this year. Oregon’s data broker registration law includes the closest active definition. The definition clarifies that a processor is not a third party if “disclosure of personal data to the processor is solely to process the personal data on the data broker’s or data controller’s behalf.” (A5328, § 2(a).)
  • “Data Collector” is defined as “a business, or units of a business, separately or together, that knowingly:  (1) collect the personal data of a consumer with whom the data collector has a direct relationship; and (2) sell or license such personal data to a data broker.” (A5328, § 2(a).)
  • Existing definitions under New Jersey’s comprehensive privacy law—including consumer, de-identified data, personal data, precise geolocation data, process, processor, publicly available information, sale/sell, and sensitive data—are reproduced rather than cross-referenced. Although these definitions largely mirror those under the NJDPA, with conforming changes such as changing “controller” to “data broker or data collector,” there are a few other changes. “Sale” is defined as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration” and, unlike under the comprehensive privacy law, this definition contains no exclusion list, broadening its scope. For “de-identified data,” the contractual obligations that must be imposed on recipients of de-identified data have an added requirement that a data broker or data collector must “enforce[ ] or otherwise ensure[ ] compliance with” the contractual obligations. (A5328, § 2(a).)

Entity- and Data-Level Exemptions: Different sections of the bill have distinct exemptions. 

Unique Scope. Compared to the existing and recently enacted or amended data broker registration laws in California, Connecticut, Oregon, Texas, and Vermont, this bill is unique in that it also extends to “data collectors” who have a direct relationship with consumers. Businesses that sell personal data will have to implement new monitoring and due diligence requirements to ascertain whether a recipient of that data is a data broker under New Jersey’s law. 

Registration Requirements 

Data brokers and data collectors engaged in selling or licensing personal data of New Jersey consumers will be required to annually register with the Division of Consumer Affairs in the Department of Law and Public Safety (“Division”), which will then establish and maintain a public registry of data brokers and data collectors. Similar to existing state data broker registration laws, registrants will have to pay a fee and provide required information with their registration application. 

The registration fees are much higher than under other data broker registration laws, and they increase based on the number of New Jersey consumers whose data are collected and sold or licensed. The lower end of the spectrum is $5,000 for data brokers that sell or license (or data collectors that collect and sell or license to a data broker) the personal data of 100,000 or fewer consumers. The highest fee is $1,500,000 for entities that sell or license the personal data of 4.5 million or more consumers. Critically, the law does not specify a specific deadline or timeframe for data brokers and data collectors to register other than “annually.” The law also does not specify the relevant timeframe for determining the relevant number of consumers whose personal data are collected and sold or licensed for determining the applicable registration fee.

There are nine categories of information that a data broker or data collector must provide with its application. These include information about: the business, such as physical, email, and website addresses; opt-outs offered; consumers’ ability to delete their data; limitations on opt-outs; any credentialing process for purchasers of data; a history of data breaches and cybersecurity events affecting the business; “data collection practices, databases, sales activities, and opt-out methods that are applicable to” data of minors (under 18); anything the Division “deems appropriate” to implement; and processors who process personal data on behalf of the data broker or data collector. Compared to the existing state data broker registration laws, these disclosures are substantial—more detailed and numerous than under some of the laws, though not as intensive as California’s Delete Act. 

Entity- and Data-Level Exemptions: This section of the bill includes a number of exemptions, including for: protected health information under HIPAA; financial institutions, data, and affiliates subject to GLBA; secondary market institutions; certain insurance institutions and insurance-support organizations; personal data sold by the New Jersey Motor Vehicle Commission as permitted by the federal DPPA; personal data collected, processed, sold, or disclosed by a consumer reporting agency if authorized under FCRA; state agencies and political subdivisions (or instrumentalities of political subdivisions); personal data collected, processed, or disclosed as part of research meeting certain safeguards under federal law; and national securities associations registered pursuant to the Section 15A of the Securities Exchange Act. 

The bill also exempts certain activities, such as developing or maintaining a third-party e-commerce or application platform, providing 411 directory assistance or directory information services, or providing publicly available information for certain purposes. However, an entity engaged in those activities is considered a data broker if it sells or licenses data to third parties in a way that is not incidental to one of those exempted activities. There are additional exemptions for (1) nonprofits providing enrollment data reporting services on behalf of postsecondary educational institutions and (2) providing title and settlement services.

Prohibition on Selling Sensitive Data

The bill prohibits data brokers or data collectors from selling or licensing sensitive data “to any other individual or entity.” This is a broader prohibition than under the comprehensive privacy law because the relevant definition of sale lacks common exceptions for disclosure of personal data to a processor, disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer, the disclosure or transfer of personal data to an affiliate, the intentional disclosure of personal data by a consumer to the general public through a mass media channel, or the disclosure or transfer of personal data to a third party as part of a merger, acquisition, or bankruptcy. (A5328, § 3(a).)

Entity- and Data-Level Exemptions: This section is subject to a separate set of exemptions than the prior section concerning registration. These exemptions appear to be substantially similar to the ones above, apart from the absence of exemptions for certain enumerated activities such as developing or maintaining a third-party e-commerce or application platform, providing 411 directory assistance or directory information services, or providing publicly available information for certain purposes.  (A5328, § 3(b).)

Enforcement

Failure to register—or failure to submit or update required information—will result in a civil penalty of $2,500 per day for a data broker or data collector, in addition to the registration fee. It is notable that these penalties are uncapped. Oregon’s data broker registration law, for example, caps annual fees at $10,000. In contrast, noncompliance with New Jersey’s registration requirement could generate up to $912,500 in fees after 365 days. 

Any data broker or data collector that sells, offers for sale, or licenses sensitive data will be subject to a civil penalty of $50,000 per record sold, offered for sale, or licensed. (A5328, §§ 4 & 5.)

Construction and Rulemaking

The bill provides that the data broker and data collector requirements apply “in addition to and not in lieu of the provisions of” New Jersey’s comprehensive privacy law. Like with the comprehensive privacy law, the Director of the Division of Consumer Affairs has rulemaking authority. (A5328, §§ 6 & 7.)