On June 30, New Jersey enacted A5328, only two days after the bill was introduced, amending the state’s comprehensive privacy law. The backlash was immediate. Businesses and privacy practitioners focused on the law’s unusually high fees, severe penalties, and novel coverage of companies that do not ordinarily identify as data brokers. Political campaigns and voter data vendors also threatened to suspend operations in New Jersey due to the law’s potentially massive penalties regarding the selling and sharing of sensitive data.
NJ DCA then issued an alert stating that covered entities will not need to register or pay fees until the first registration period, scheduled in spring 2027. NJ DCA also stated that it expects to issue guidance on the sensitive data restriction in the upcoming months.
Separately, The New Jersey Globe reported that an anonymous Sherrill administration official confirmed an enforcement pause and possible legislative changes due to “certain defects that have come to light.” Because the reported defects have not yet been identified publicly, uncertainty remains for businesses and privacy professionals.
Why did the law trigger such a strong response?
A5328 departed from the emerging data-broker-law consensus in several important ways:
Unusually high registration costs. Annual fees range from $5,000 to $1.5 million, with the upper tier far exceeding fees under other state data broker registries. According to Privacy Daily, the Software & Information Industry Association (SIIA) raised constitutional concerns about whether such costs could affect participation in the information market.
A new “data collector” category. The law reaches any business that collects information directly from consumers and then sells or licenses it to a data broker. That could pull ordinary consumer-facing businesses and upstream data suppliers into a registry designed for entities traditionally understood to be data brokers.
Severe and immediate exposure. The law pairs daily registration penalties of $2,500 with a sensitive data restriction carrying penalties of up to $50,000 per record.
What may change, and what may survive?
It is too early to predict the final amendments, but the source of the pushback points to several likely provisions. Lawmakers may consider an express exemption or narrower rule for political organizations, campaigns, voter files, and election-related uses. Other states often exempt some nonprofit or political organizations from comprehensive privacy laws, although those exemptions vary.
The registration framework also appears ripe for revision. The tiered fees could be reduced or removed for a more standard fee structure and the novel “data collector” definition could be narrowed or eliminated. Those provisions are the most significant departures from existing state data broker regimes.
The sensitive-data sales ban may be more durable.
Unlike the registration fees and data-collector category, restrictions on selling sensitive data reflect a broader state-law trend. Maryland and New Jersey use broad bans, while Connecticut, Oregon, and Virginia restrict sales of particular sensitive-data categories or in particular circumstances. NJ DCA’s alert also signals that sensitive data sales are likely still prohibited and we should expect guidance in the upcoming months.
What should businesses do now?
Continue to monitor. Track legislative developments in New Jersey, as the data broker registration fee structure, “data collector” definition, and fines associated with registration and sensitive data may change significantly in the upcoming months.
Treat the sensitive-data ban as likely in effect. Although the registration mechanics and fee obligations are delayed until the first registration period, the sensitive-data sales restriction appears to have taken effect immediately. Businesses should identify any sale or licensing of sensitive data involving New Jersey consumers and evaluate whether those activities should be paused, restricted, or restructured while the State issues guidance.
- Map data flows at a high level. Businesses that provide personal data to third-party data vendors should understand what is transferred, to whom, and for what purpose. That analysis will remain useful even if the “data collector” provision is narrowed.

/Passle/644c41cc474c4c94b77327c8/SearchServiceImages/2026-06-24-03-51-35-376-6a3b5447117422070cdaff41.jpg)

/Passle/644c41cc474c4c94b77327c8/SearchServiceImages/2026-06-19-22-49-54-737-6a35c792fe67db3561942de7.jpg)
