Read the full stored bill text
A5332
ASSEMBLY, No. 5332
STATE OF NEW JERSEY
222nd LEGISLATURE
�
INTRODUCED JUNE 28, 2026
Sponsored by:
Assemblyman� WILLIAM F. MOEN, JR.
District 5 (Camden and Gloucester)
SYNOPSIS
���� Regulates data brokers and collection and
dissemination of certain sensitive information.
CURRENT VERSION OF TEXT
���� As introduced.
��
An Act
concerning personal data and data brokers and amending P.L.2023, c.266 and supplementing
Title 56 of the Revised Statutes.
����
Be It Enacted
by the Senate and General Assembly of the State of New Jersey:
���� 1.��� Section 9 of P.L.2023,
c.266 (C.56:8-166.12) is amended to read as follows:
���� 9. a. A controller shall:
���� (1)� limit the collection of
personal data to what is adequate, relevant, and reasonably necessary in
relation to the purposes for which such data is processed, as disclosed to the
consumer;
���� (2)� except as otherwise
provided in P.L.2023, c.266 (C.56:8-166.4 et seq.), not process personal data
for purposes that are neither reasonably necessary to, nor compatible with, the
purposes for which such personal data is processed, as disclosed to the
consumer, unless the controller obtains the consumer's consent;
���� (3)� take reasonable measures
to establish, implement, and maintain administrative, technical, and physical
data security practices to protect the confidentiality, integrity, and
accessibility of personal data and to secure personal data during both storage
and use from unauthorized acquisition. The data security practices shall be
appropriate to the volume and nature of the personal data at issue;
���� (4)� not process sensitive
data concerning a consumer without first obtaining the consumer's consent, or,
in the case of the processing of personal data concerning a known child,
without processing such data in accordance with COPPA;
���� (5)� not process personal data
in violation of the laws of this State and federal laws that prohibit unlawful
discrimination against consumers;
���� (6)�
not sell sensitive
data, which shall apply to all individuals or legal entities regardless of the
number of consumers whose data the individual or entity controls or processes;
����
(7)
� provide an
effective mechanism for a consumer to revoke the consumer's consent under this
section that is at least as easy as the mechanism by which the consumer
provided the consumer's consent and, upon revocation of such consent, cease to
process the data as soon as practicable, but not later than 15 days after the
receipt of such request;
����
[
(7)
]
(8)
not process the
personal data of a consumer for purposes of targeted advertising, the sale of
the consumer's personal data, or profiling in furtherance of decisions that
produce legal or similarly significant effects concerning a consumer without
the consumer's consent, under circumstances where a controller has actual
knowledge, or willfully disregards, that the consumer is at least 13 years of
age but younger than 17 years of age;
����
[
(8)
]
(9)
� specify the express
purposes for which personal data are processed; and
����
[
(9)
]
(10)
�not conduct
processing that presents a heightened risk of harm to a consumer without
conducting and documenting a data protection assessment of each of its
processing activities that involve personal data acquired on or after the
effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.) that present a
heightened risk of harm to a consumer.
���� b.��� Data protection
assessments shall identify and weigh the benefits that may flow, directly and
indirectly, from the processing to the controller, the consumer, other
stakeholders, and the public against the potential risks to the rights of the
consumer associated with the processing, as mitigated by safeguards that the
controller can employ to reduce the risks. The controller shall factor into
this assessment the use of de-identified data and the reasonable expectations
of consumers, as well as the context of the processing and the relationship
between the controller and the consumer whose personal data will be processed.
A controller shall make the data protection assessment available to the
Division of Consumer Affairs in the Department of Law and Public Safety upon
request. The division may evaluate the data protection assessment for
compliance with the duties contained in this section and with other laws. Data
protection assessments shall be confidential and exempt from public inspection
under P.L.1963 c.3 (C.47:1A-1 et al.). The disclosure of a data protection
assessment pursuant to a request from the division under this section shall not
constitute a waiver of any attorney-client privilege or work-product protection
that might otherwise exist with respect to the assessment and any information
contained in the assessment.
���� c.���� For the purposes of
this section, "heightened risk" includes:
���� (1)� processing personal data
for purposes of targeted advertising or for profiling if the profiling presents
a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful
disparate impact on, consumers; financial or physical injury to consumers; a
physical or other intrusion upon the solitude or seclusion, or the private
affairs or concerns, of consumers if the intrusion would be offensive to a
reasonable person; or other substantial injury to consumers;
���� (2)� selling personal data;
and
���� (3)� processing sensitive
data.
���� d.��� A single data protection
assessment may address a comparable set of processing operations that include
similar activities.
(cf: P.L.2023, c.266, s.9)
���� 2.� (New section)�� a. As used
in this section:
���� �Consumer�
means an identified person who is a resident of this State acting only in an
individual or household context. �Consumer� shall not include a person acting
in a commercial or employment context.
���� �Data
broker� means a
person or legal entity, including a controller,
that knowingly collects or purchases the personal data of a
consumer with whom the person or legal entity does not have a direct
relationship and sells, licenses or otherwise provides that data to third
parties.�
Examples of a direct relationship include if the consumer is a
past or present: (1) customer, client, subscriber, or user of the person or
legal entity�s goods or services; (2) employee, contractor, or agent of the
person or legal entity; (3) investor in the person or legal entity; or (4)
donor to th
e person or
legal entity.
���� �De-identified
data� means: data that cannot be reasonably used to infer information about, or
otherwise be linked to, an identified or identifiable individual, or a device
linked to such an individual, if the controller that possesses the data: (1)
takes reasonable measures to ensure that the data cannot be associated with an
individual, (2) publicly commits to maintain and use the data only in a
de-identified fashion and not to attempt to re-identify the data, and (3)
contractually obligates any recipients of the information to comply with the
requirements of this paragraph.
���� �Director� means the Director
of the Division of Consumer Affairs in the Department of Law and Public Safety.
���� �Division� means the Division
of Consumer Affairs in the Department of Law and Public Safety.
���� �Personal data� means any
information that is linked or reasonably linkable to an identified or
identifiable person. �Personal data� shall not include de-identified data or
publicly available information.
���� �Precise geolocation data�
means information derived from technology, including, but not limited to,
global positioning system level latitude and longitude coordinates or other
mechanisms, that directly identifies the specific location of an individual with
precision and accuracy within a radius of 1,750 feet. �Precise geolocation
data� shall not include the content of communications or any data generated by
or connected to advanced utility metering infrastructure systems or equipment
for use by a utility.
���� �Process� or �processing�
means an operation or set of operations performed, whether by manual or
automated means, on personal data or on sets of personal data, such as the
collection, use, storage, disclosure, analysis, deletion, or modification of
personal data, and also includes the actions of a controller directing a
processor to process personal data.
���� �Publicly available
information� means information that is lawfully made available from federal,
State, or local government records or widely distributed media or information
that a controller has a reasonable basis to believe a consumer has lawfully made
available to the general public and has not restricted to a specific audience.
���� �Sensitive data� means
personal data revealing racial or ethnic origin; religious beliefs; mental or
physical health condition, treatment, or diagnosis; financial information,
which shall include a consumer�s account number, account log-in, financial account,
or credit or debit card number, in combination with any required security code,
access code, or password that would permit access to a consumer�s financial
account; sex life or sexual orientation; citizenship or immigration status;
status as transgender or non-binary; genetic or biometric data that may be
processed for the purpose of uniquely identifying an individual; personal data
collected from a known child; or precise geolocation data.
���� b.��� The Division of Consumer
Affairs in the Department of Law and Public Safety shall establish and maintain
a public registry of data brokers engaged in processing personal data of New
Jersey consumers.� Using the information submitted pursuant to subsection c. of
this section, the registry shall include, at a minimum, for each data broker:
the data broker�s name and physical address; a general email address that may
be used to request information about the data broker�s privacy policies and
data collection practices; a general Internet website address for the data
broker; an Internet website address specific to the data broker�s privacy
policies; and any relevant opt-out information.� The division shall review and
update the information contained in the registry at least annually.
���� c.���� Each data broker engaged
in processing personal data of New Jersey consumers shall annually register
with the division and pay to the division a registration fee of $5,500 or such
other amount as the director may establish by regulation.� Registration fees
collected pursuant to this subsection shall be used to effectuate the purposes
of this act.
���� d.��� Each data broker shall
submit the following information to the division at the time of registration,
which information shall be updated by the data broker at least annually, or at
such other frequency as the division may require:
���� (1)�� the data broker�s name
and primary physical, email, and Internet website addresses;
����
(2)�� whether
the data broker permits
individuals to
opt out of the data
broker�s collection practices and direct the data broker to delete any personal
data in the broker�s possession, including the method for requesting an
opt-out, the type of opt-out, whether
the opt-out is limited
to
certain activities or sales, whether the data broker permits individuals to
authorize a third party to opt out on the individual�s behalf, and the manner
in which individuals may confirm the deletion of personal data by the data broker;
���� (3)�� a
statement specifying the data collection, databases, or sales activities from
which an individual may not opt out;
���� (4)�� whether the data broker
uses a credentialing process for purchasers of data and, if applicable, a
general explanation of that process;
���� (5)�� a history of data
breaches and other cybersecurity events affecting the data broker and personal
identifying information in the data broker�s possession, including the number
of individuals affected by each data breach or cybersecurity event;
���� (6)�� a separate statement
detailing the data collection practices, databases, sales activities, and
opt-out methods that are applicable to the personal identifying information of
persons under the age of 18 and whether the data broker has actual knowledge
that it possesses the personal identifying information of persons under the age
of 18; and
���� (7)�� any information the
division deems appropriate to implement the purposes of P.L.��� , c.����
(C.������� ) (pending before the Legislature as this bill).
���� e.���� In no case shall a data
broker sell, offer for sale, license, or otherwise furnish, provide, or
transmit sensitive data to any other individual or entity.
���� f.���� A person or entity that
knowingly collects or purchases the personal data of a consumer with whom the
person or legal entity does not have a direct relationship and sells, licenses
or otherwise provides that data to third parties shall not be considered a data
broker for the purposes of P.L.��� , c.���� (C.������� ) (pending before the
Legislature as this bill) if:
���� (1)�� the full extent to which
the person or entity collects or purchases the personal data of a consumer with
whom the person or legal entity does not have a direct relationship and sells,
licenses or otherwise provides that data to third parties is incidental to
conducting one or more of the following activities:
���� (a)�� developing or
maintaining a third-party e-commerce or application platform;
���� (b)�� providing 411 directory
assistance or directory information services, including name, address, and
telephone number, on behalf of or as a function of a telecommunications
carrier;
���� (c)�� providing publicly
available information related to an individual�s business or profession; or
���� (d)�� providing publicly
available information via real-time or near real-time alert services for health
or safety purposes; or
���� (2)�� the person or entity is
a financial institution or an affiliate of a financial institution that:
���� (a) is only and directly
engaged in financial activities as described in subsection k. of section 4 of
the federal Bank Holding Company Act of 1956, 12 U.S.C. s.1843;
���� (b) is regulated and examined
by the New Jersey Department of Banking and Insurance or an applicable federal
bank regulatory agency; and
���� (c) has established a program
to comply with all applicable requirements of the New Jersey Department of
Banking and Insurance or the applicable federal bank regulatory agency
concerning personal data.
���� g.��� A person or entity that
engages in one or more of the activities described in subparagraphs (a) through
(d) of paragraph (1) of subsection f. of this section shall be considered a
data broker for the purposes of P.L.��� , c.���� (C.������� ) (pending before
the Legislature as this bill) if the person or entity collects and or purchases
the personal data of a consumer with whom the person or legal entity does not
have a direct relationship and sells, licenses or otherwise provides such data
to third parties in any way that is not incidental to an activity described in
subparagraphs (a) through (d) of paragraph (1) of subsection f. of this
section, unless the person or entity is exempt under paragraph (2) of
subsection f. of this section.
���� 3.��� (New section) a. A data
broker that fails to register with the division or to submit the annual
registration fee as required under subsection c. of section 2 of P.L.��� ,
c.���� (C.������� ) (pending before the Legislature as this bill) shall be
liable to a civil penalty of $2,500 for each day the data broker fails to
register or submit the required fee.
���� b.��� A data broker that fails
to submit or update the information required under subsection d. of section 2
of P.L.��� , c.���� (C.������� ) (pending before the Legislature as this bill)
shall be liable for a civil penalty of $2,500 for each day the data broker
fails to submit or update the information.
���� c.���� A civil penalty
assessed pursuant to this section shall be collected and enforced by the
division in a summary proceeding before a court of competent jurisdiction
pursuant to the provisions of the �Penalty Enforcement Law of 1999,� P.L.1999,
c.274 (C.2A:58-10 et seq.).
���� 4.��� (New section) A data
broker, including a controller, that sells, offers for sale, licenses, or
otherwise furnishes, provides, or transmits to any other individual or
sensitive data in violation of paragraph (6 ) of subsection a. of section 9 of P.L.2023,
c.266 (C.56:8-166.12) or subsection e. of section 2 of P.L.��� ,
c. (C. ) (pending
before the Legislature as this bill) shall be liable to a civil penalty of
$50,000 for each record sold, offered for sale, licensed, or otherwise
furnished, provided, or transmitted.
���� 5.��� (New section) The
Director of the Division of Consumer Affairs in the Department of Law and
Public Safety shall adopt rules and regulations, pursuant to the
�Administrative Procedure Act,� P.L.1968, c.410 (C.52:14B-1 et seq.), as shall
be necessary for the implementation of P.L.��� , c.���� (C.������� ) (pending
before the Legislature as this bill).
���� 6.��� This act shall take
effect immediately, except that section 3 of this act shall remain inoperative
for 180 days following the date of enactment.
STATEMENT
���� This bill prohibits a
controller of a commercial Internet website or online services from selling
sensitive data, which prohibition will apply to all individuals or legal
entities regardless of the number of consumers whose data the individual or
entity controls or processes.
���� The bill requires data brokers
to register with the Division of Consumer Affairs (division) in the Department
of Law and Public Safety and prohibits the brokering of physical or behavioral
health records.
���� Under the bill, a data broker
means a person or entity that knowingly collects or purchases the personal data
of a consumer with whom the person or legal entity does not have a direct
relationship and sells, licenses or otherwise provides such data to third
parties.
���� Specifically, the bill
requires the division to establish and maintain a public registry of data
brokers doing business in New Jersey. Data brokers are required to register
with the division, pay an annual registration fee of $5,500 or other amount
established by the Director of Consumer Affairs by regulation, and provide the
division with certain information about the data broker�s business as described
in the bill. Collected registration fees will be used to implement the
provisions of the bill.
���� Under the bill, the
information that data brokers are required to submit to the division at the
time of registration includes:
���� (1) the data broker�s name and
primary physical, email, and Internet addresses;
���� (2) whether the data broker
permits individuals to opt out of the data broker�s collection practices and
direct the data broker to delete any personal data in the broker�s possession,
including the method for requesting an opt-out, the type of opt-out, whether
the opt-out is limited to certain activities or sales, whether the data broker
permits individuals to authorize a third party to opt out on the individual�s
behalf, and the manner in which individuals may confirm the deletion of
personal data by the data broker;
���� (3) a statement specifying the
data collection, databases, or sales activities from which an individual may
not opt out;
���� (4) whether the data broker
uses a credentialing process for purchasers of data and, if applicable, a
general explanation of that process;
���� (5) a history of data breaches
and other cybersecurity events affecting the data broker and personal
identifying information in the data broker�s possession, including the number
of individuals affected by each such data breach or cybersecurity event;
���� (6) a separate statement
detailing the data collection practices, databases, sales activities, and
opt-out methods that are applicable to the personal identifying information of
persons under the age of 18 and whether the data broker has actual knowledge
that it possesses the personal identifying information of persons under the age
of 18; and
���� (7) any information the
division deems appropriate to implement the purposes of the bill.
���� Using the information
submitted by data brokers, the division is to include in the registry, at
minimum, each data broker�s name and physical address, a general email address
that may be used to request information about the data broker�s privacy policies
and data collection practices, a general Internet website address for the data
broker, an Internet website address specific to the data broker�s privacy
policies, and any relevant opt-out information. The division is required to
review and update this information at least annually.
���� Data brokers that fail to
submit and update information as required under the bill, or that fail to
register and pay the registration fee required under the bill, will be liable
for a civil penalty of $2,500 for each day the data broker is not in compliance.
���� A person or legal entity that
knowingly collects or purchases the personal data of a consumer with whom the
person or legal entity does not have a direct relationship and sells, licenses
or otherwise provides that data to third parties is not considered a data
broker for the purposes of the bill if:
���� (1) the full extent to which
the person or entity collects or purchases the personal data of a consumer with
whom the person or legal entity does not have a direct relationship and sells,
licenses or otherwise provides such data to third parties is incidental to
conducting one or more of the following activities:
���� (a) developing or maintaining
a third-party e-commerce or application platform;
���� (b) providing 411 directory
assistance or directory information services, including name, address, and
telephone number, on behalf of or as a function of a telecommunications
carrier;
���� (c) providing publicly
available information related to an individual�s business or profession; or
���� (d) providing publicly
available information via real-time or near real-time alert services for health
or safety purposes; or
���� (2) the person or entity is a
financial institution or an affiliate of a financial institution that:
���� (a) is only and directly
engaged in financial activities as described the federal Bank Holding Company
Act;
���� (b) is regulated and examined
by the State Department of Banking and Insurance or an applicable federal bank
regulatory agency; and
���� (c) has established a program
to comply with all applicable requirements of the New Jersey Department of
Banking and Insurance or the applicable federal bank regulatory agency
concerning personal data.
���� A person or entity that
engages in these activities will still be considered a data broker for the
purposes of the bill if the person or entity collects and sells or licenses
personal identifying information in any way that is not incidental to one or more
of those activities.
���� A data broker, including a
controller, that sells, offers for sale, licenses, or otherwise furnishes,
provides, or transmits to any other individual or sensitive data in violation
of P.L.2023, c.266 or the bill�s provisions will be liable to a civil penalty
of $50,000 for each record sold, offered for sale, licensed, or otherwise
furnished, provided, or transmitted.