Skip to Main Content
Publications

New Jersey Moves to Ban Sensitive Data Sales: What Businesses Must Do Now

Last week, New Jersey (NJ) lawmakers enacted a new, game-changing privacy law that threatens to ensnare unsuspecting businesses of all sizes that fail to take immediate action. A5328 (1R) (NJ Sensitive Data Law) amends the New Jersey Data Privacy Act (NJDPA) to impose a blanket ban on the sale of sensitive data, a separate ban on the transmission of sensitive data by data brokers and "data collectors," and a first-of-its-kind data broker registration-and-disclosure compliance regime – all backed by civil penalties of $50,000 per record for noncompliance.

Why does this matter? Because the NJ Sensitive Data Law's reach is extraordinary – and its timeline unforgiving. The sensitive data sale ban applies to any company that processes personal data – regardless of volume. And the NJ Sensitive Data Law, including its most draconian penalties, took effect immediately upon enactment.

The bottom line: If your company has any online presence and sells, licenses, or otherwise processes sensitive data, the NJ Sensitive Data Law – which is already in effect and offers no cure period – should be an immediate compliance priority. The ban on sensitive data sales reaches all controllers, regardless of how much personal data they process, sweeping in many entities not otherwise subject to the NJDPA. And New Jersey isn't alone – it's merely the latest entry in an accelerating national trend of states converting sensitive- and location-data regulation from the traditional "notice and consent" model to outright prohibitions.

This alert breaks down what you need to know about the Garden State's new privacy law and outlines the practical steps your company should take now to limit enforcement exposure for noncompliance.

Key Aspects of the NJ Sensitive Data Law

Universal Reach

Until now, most small businesses flew under the radar. The NJDPA's non-sensitive data/data broker provisions apply only to controllers that conduct business in New Jersey or target products or services to New Jersey residents, and that during a calendar year either: (1) control or process the personal data of at least 100,000 consumers; or (2) control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on goods or services from the sale of personal data.

The NJ Sensitive Data Law changes that calculus. While the general thresholds remain intact for most purposes, the sensitive data sale ban applies universally to "all individuals or legal entities regardless of the number of consumers whose data the individual or entity controls or processes." Thus, all entities that conduct business in New Jersey or produce products or services targeted at the state's residents are subject to the sensitive data sale ban, regardless of the volume of personal data processed.

What does that mean in practice? A small e-commerce retailer, a regional wellness brand, or a niche mobile app developer that never approaches the thresholds for compliance set by the NJDPA and other consumer privacy laws are fully subject to the ban. And the NJ Sensitive Data Law carries forward the NJDPA's sweeping definition of "sensitive data," which encompasses the following:

  • personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis;
  • financial account information;
  • sex life or sexual orientation;
  • citizenship or immigration status;
  • status as transgender or nonbinary;
  • genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
  • personal data collected from a known child; and
  • precise geolocation data (itself defined to capture data identifying "the specific location of an individual with precision and accuracy within a radius of 1,750 feet").

Don't let the label fool you. Given the ubiquity of location, biometric, and health-adjacent data in digital commerce, the covered categories are far broader than the label "sensitive" suggests.

New Compliance Regime for Data Brokers & Data Collectors

The NJ Sensitive Data Law doesn't stop at sale bans; it also creates an entirely new compliance regime for data brokers and data collectors. Under the NJ Sensitive Data Law, a "data broker" is any person or entity that collects or purchases personal data from consumers it has no direct relationship with and then sells or licenses that data to third parties. The NJ Sensitive Data Law also introduces a new concept – "data collector" – which is any business or business unit that collects the personal data of consumers with whom it has a direct relationship and then sells or licenses that data to data brokers. If you fit either definition, you are now required to register annually with the New Jersey Division of Consumer Affairs, pay an annual registration fee of up to $1.5 million, and submit detailed disclosures about your data practices – updated every year.

Those disclosures include (among other things):

  • whether the broker/collector permits individuals to opt-out of its collection practices, the methods made available by the broker/collector for submitting opt-out requests, the type of opt-out, whether the opt-out is limited to certain activities or sales, and whether the broker/collector permits authorized third parties to submit opt-outs;
  • a statement specifying the data collection, databases, or sales activities from which an individual may not opt out;
  • whether it permits individuals to submit requests for the deletion of their personal data and the manner in which they may confirm deletion;
  • a separate statement detailing its data collection practices, opt-out methods applicable to minors' personal data, and whether it has actual knowledge that it possesses minors' personal data;
  • the names of all processors that process personal data on its behalf;
  • whether it uses a credentialing process to vet data purchasers and, if so, an explanation of the process;
  • its prior data breach and other cybersecurity event history; and
  • "any information the [D]ivision deems appropriate to implement the purposes" of the legislation.

Here's the kicker: much of this information, including all "relevant opt-out information," will be published on a public registry. That transparency doesn't stop at New Jersey's state lines. Regulators in other states could use a broker's posted disclosures as a roadmap to identify potential violations of their own consumer privacy or unfair and deceptive practices (UDAP) laws – turning one state's disclosure requirement into a nationwide enforcement risk.

Separately, the NJ Sensitive Data Law creates a tiered registration fee schedule tied to the volume of New Jersey consumers' personal data processed by data brokers/collectors:

Consumer Threshold

Fee Level

1 – 100,000

$5,000

100,001 – 500,000

$10,000

500,001 – 1,000,000

$100,000

1,000,001 – 1,500,000

$500,000

1,500,001 – 2,500,000

$750,000

2,500,001 – 4,500,000

$1,000,000

4,500,001+

$1,500,000


In addition, the NJ Sensitive Data Law bars data brokers/collectors from any downstream sale, licensing, sharing, disclosure, or transfer of sensitive data. Unlike the controller sale ban, this prohibition sweeps beyond "sales" to reach virtually all sensitive data transfers by brokers and collectors, whether or not for monetary consideration.

Crushing Penalties Already in Effect

Now for the teeth: $50,000 per record. Controllers and data brokers/collectors that sell, license, or transmit sensitive data in violation of the twin sensitive data prohibitions face civil penalties of $50,000 for every record involved. Do the math: a single non-compliant transfer involving just 1,000 records equals $50 million in exposure. Clearly, liability could quickly climb to staggering levels as the result of even a single non-compliant transfer, especially where a sizable dataset is involved. And data brokers/collectors that fail to register, pay the fee, or keep their disclosures current face an additional $2,500 per day of noncompliance.

What makes this even more urgent: the $50,000-per-record penalty is already in effect and subject to enforcement – no grace period, no phase-in. Consequently, businesses that haven't already mapped their sensitive data flows and are currently noncompliant are exposed. Only the public data broker/collector registry provision has a delayed effective date; the sale and transfer bans do not.

Part of a Rapidly Expanding National Trend

The NJ Sensitive Data Law is best understood not as an outlier, but instead as an acceleration of a broader movement already underway in several states with far-reaching consequences. Maryland became the first state to impose a blanket ban on the sale of sensitive data – even with consent – when its consumer privacy law went into effect last year. In addition, Oregon, Virginia, and Connecticut have all amended their consumer privacy laws to include a ban on the sale of location data.

Looking ahead, outright prohibitions on the sale of sensitive and location data are proliferating quickly, and additional copycat measures are all but certain to follow.

Analysis and Takeaways

The strategic implications run well beyond New Jersey. A compliance posture built only around today's applicability thresholds is increasingly fragile: the clear trajectory of these laws is toward universal applicability, categorical sale bans, and per-record penalties. The breadth of these laws' definitions, including of "sensitive data" and "personal information," compounds the exposure, sweeping in routine advertising, analytics, and location-based functionality powered by third-party technology (such as cookies, pixels, application programming interfaces (APIs), software development kits (SDKs), customer data platforms (CDPs), and tag managers) and AdTech partners – data flows many businesses do not currently regard as "sensitive."

Organizations that treat sensitive- and location-data sales as a significant exposure on a national level now – rather than a state-by-state patchwork to be addressed reactively – will be best positioned as copycat measures take hold, enforcement intensifies, and litigation ensues.

What To Do Now: Practical Compliance Tips and Strategies

With the NJ Sensitive Data Law now in effect and enforceable, companies should take immediate action to assess their data sharing practices and close any compliance gaps. Here's how that can be achieved:

  1. Inventory and map sensitive data: Catalog all categories of personal data that the company collects – with particular attention to precise geolocation, biometric, genetic, health, and financial data – and map where it originates, how it is used, and to whom it is disclosed.
  2. Identify sensitive data transfers and sales: Analyze the company's data handling practices and identify all sales, licensing, and furnishing of sensitive data to third parties, including through AdTech, analytics, or data monetization arrangements – remaining mindful that the sale prohibition applies regardless of size.
  3. Assess data broker status: Evaluate whether the company meets the NJ Sensitive Data Law's definitions of "data broker" and/or "data collector" and, if so, whether it qualifies for a compliance exemption (for example, certain incidental activities or qualifying regulated financial institutions).
  4. Conduct a gap analysis: Evaluate current data sharing practices, vendor and partner contracts, consent and opt-out mechanisms, and external privacy disclosures against the NJ Sensitive Data Law's prohibitions and disclosure requirements.
  5. Get in compliance: Prioritize eliminating or restructuring any sale or transfer of sensitive data, and satisfy data broker/collector registration and disclosure obligations where applicable, recognizing that the harshest penalties are already enforceable by New Jersey privacy regulators.
  6. Monitor the broader privacy landscape: Track parallel developments in Maryland, Oregon, Virginia, Connecticut, and other states so that compliance is calibrated to a rapidly evolving, multistate patchwork, rather than to New Jersey alone.
  7. Engage experienced privacy counsel: The interplay between sensitive data definitions, data broker obligations, and multistate enforcement risk is complex – and the stakes are high. Outside counsel with deep privacy expertise can help you identify exposure, prioritize remediation, and build a compliance strategy calibrated to your business.

The Final Word

The NJ Sensitive Data Law sends an unmistakable signal: Regulation of sensitive and location data is shifting into overdrive. Categorical prohibitions, universal applicability, and severe per-record penalties are replacing the old notice-and-consent model – and this is just the beginning. Companies that act now to audit their data practices, close compliance gaps, and engage experienced privacy counsel will be far better positioned than those left scrambling to mitigate the mounting legal risk and liability exposure arising from this new wave of sensitive data prohibitions.

Baker Donelson's Privacy Team is actively advising clients on sensitive data compliance strategies, data broker obligations, and the broader multistate privacy landscape. If you have questions about how the NJ Sensitive Data Law impacts your business – or need help operationalizing compliance – reach out to the authors, David Oberly, Matt White, AIGP, CIPP/US, CIPP/E, CIPT, CIPM, PCIP, and MJ McMahan, or another member of Baker Donelson's Data Privacy and Cybersecurity, Digital Marketing, AdTech, and Consumer Privacy Compliance, or Privacy Litigation Teams.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept