Bill
Bill > A5332
NJ A5332
NJ A5332Regulates data brokers and collection and dissemination of certain sensitive information.
summary
Introduced
06/28/2026
06/28/2026
In Committee
06/28/2026
06/28/2026
Crossed Over
Passed
Dead
Introduced Session
2026-2027 Regular Session
Bill Summary
This bill prohibits a controller of a commercial Internet website or online services from selling sensitive data, which prohibition will apply to all individuals or legal entities regardless of the number of consumers whose data the individual or entity controls or processes. The bill requires data brokers to register with the Division of Consumer Affairs (division) in the Department of Law and Public Safety and prohibits the brokering of physical or behavioral health records. Under the bill, a data broker means a person or entity that knowingly collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells, licenses or otherwise provides such data to third parties. Specifically, the bill requires the division to establish and maintain a public registry of data brokers doing business in New Jersey. Data brokers are required to register with the division, pay an annual registration fee of $5,500 or other amount established by the Director of Consumer Affairs by regulation, and provide the division with certain information about the data broker's business as described in the bill. Collected registration fees will be used to implement the provisions of the bill. Under the bill, the information that data brokers are required to submit to the division at the time of registration includes: (1) the data broker's name and primary physical, email, and Internet addresses; (2) whether the data broker permits individuals to opt out of the data broker's collection practices and direct the data broker to delete any personal data in the broker's possession, including the method for requesting an opt-out, the type of opt-out, whether the opt-out is limited to certain activities or sales, whether the data broker permits individuals to authorize a third party to opt out on the individual's behalf, and the manner in which individuals may confirm the deletion of personal data by the data broker; (3) a statement specifying the data collection, databases, or sales activities from which an individual may not opt out; (4) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process; (5) a history of data breaches and other cybersecurity events affecting the data broker and personal identifying information in the data broker's possession, including the number of individuals affected by each such data breach or cybersecurity event; (6) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and (7) any information the division deems appropriate to implement the purposes of the bill. Using the information submitted by data brokers, the division is to include in the registry, at minimum, each data broker's name and physical address, a general email address that may be used to request information about the data broker's privacy policies and data collection practices, a general Internet website address for the data broker, an Internet website address specific to the data broker's privacy policies, and any relevant opt-out information. The division is required to review and update this information at least annually. Data brokers that fail to submit and update information as required under the bill, or that fail to register and pay the registration fee required under the bill, will be liable for a civil penalty of $2,500 for each day the data broker is not in compliance. A person or legal entity that knowingly collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells, licenses or otherwise provides that data to third parties is not considered a data broker for the purposes of the bill if: (1) the full extent to which the person or entity collects or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells, licenses or otherwise provides such data to third parties is incidental to conducting one or more of the following activities: (a) developing or maintaining a third-party e-commerce or application platform; (b) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier; (c) providing publicly available information related to an individual's business or profession; or (d) providing publicly available information via real-time or near real-time alert services for health or safety purposes; or (2) the person or entity is a financial institution or an affiliate of a financial institution that: (a) is only and directly engaged in financial activities as described the federal Bank Holding Company Act; (b) is regulated and examined by the State Department of Banking and Insurance or an applicable federal bank regulatory agency; and (c) has established a program to comply with all applicable requirements of the New Jersey Department of Banking and Insurance or the applicable federal bank regulatory agency concerning personal data. A person or entity that engages in these activities will still be considered a data broker for the purposes of the bill if the person or entity collects and sells or licenses personal identifying information in any way that is not incidental to one or more of those activities. A data broker, including a controller, that sells, offers for sale, licenses, or otherwise furnishes, provides, or transmits to any other individual or sensitive data in violation of P.L.2023, c.266 or the bill's provisions will be liable to a civil penalty of $50,000 for each record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted.
AI Summary
This bill establishes regulations for data brokers, which are defined as entities that knowingly collect or purchase personal data from consumers with whom they have no direct relationship and then sell, license, or otherwise provide this data to third parties. It prohibits controllers of commercial internet websites or online services from selling "sensitive data," which includes information like racial or ethnic origin, health conditions, financial details, precise geolocation, and data from known children, and this prohibition applies to all individuals and entities regardless of the volume of data they handle. Data brokers operating in New Jersey will be required to register annually with the Division of Consumer Affairs (division) within the Department of Law and Public Safety, paying a $5,500 fee, and provide detailed information about their business practices, including data collection methods, opt-out options, data breach history, and specific practices related to minors. The division will maintain a public registry of these data brokers with key contact and privacy policy information, updated at least annually. Failure to register, pay fees, or provide required information can result in daily civil penalties of $2,500, while selling sensitive data in violation of the bill can lead to penalties of $50,000 per record. Certain entities, such as those whose data collection is incidental to operating e-commerce platforms, providing directory assistance, or sharing publicly available business information, are exempt from the data broker definition, as are regulated financial institutions with established data protection programs. The bill also clarifies that selling sensitive data is prohibited for data brokers and controllers, with significant penalties for violations.
Committee Categories
Business and Industry
Sponsors (1)
Last Action
Introduced, Referred to Assembly Financial Institutions and Insurance Committee (on 06/28/2026)
Bill Topics
Banking, Finance, and Domestic Commerce
- ‐ Consumer Safety and Consumer Fraud
Civil Rights, Minority Issues, and Civil Liberties
- ‐ Right to Privacy and Access to Government Information
Space, Science, Technology, and Communications
- ‐ Internet and Computer Issues
Official Document
bill text
bill summary
Loading...
bill summary
Loading...
bill summary
| Document Type | Source Location | Created |
|---|---|---|
| State Bill Page | https://www.njleg.state.nj.us/bill-search/2026/A5332 | 06/23/2026 |
| BillText | https://pub.njleg.gov/Bills/2026/A5500/5332_I1.HTM | 06/29/2026 |
| BillText | https://pub.njleg.gov/Bills/2026/A5500/5332_R1.HTM | 06/24/2026 |
Loading...