
The Data Broker Crackdown Nobody's Talking About: New Jersey's $1.5M Registration Law and What It Signals for Privacy in AI Products
On June 30, 2026, New Jersey's governor signed a data broker law that makes California's registration regime look quaint. The privacy implications reach well beyond the companies that self-identify as "data brokers" — they touch any AI product built on behavioral data, any company that infers consumer preferences at scale, and quite possibly your product. The law passed in two days flat, tied to a budget deal, and is already facing an enforcement pause. Here's what actually happened, what it means for product teams, and why the real story isn't the fee schedule.
Key Takeaways
- New Jersey's new data broker law imposes tiered annual registration fees up to $1.5 million — roughly 250x California's current fee — and bans the sale of sensitive data outright, with $50,000 penalties per record.
- The law introduces a "data collector" category that doesn't exist in any other state's data broker statute, potentially sweeping in retailers, publishers, and AI companies that were never considered brokers.
- The bill was introduced, passed, and signed within 48 hours as part of a budget process — and the state has already delayed enforcement amid industry confusion, signaling that the text itself may be revised before the March 2027 registry deadline.
- This law sits inside a broader 2026 convergence: surveillance-pricing bans in Maryland, Connecticut, and New York are targeting the same underlying behavior — algorithmic decisions built on inferred data — and together they draw a regulatory line that any AI product touching personal data needs to understand.
- The practical takeaway for AI builders: architect around data brokerage entirely. Don't sell or license behavioral data. Minimize your sensitive-data footprint. The compliance patchwork is becoming a structural moat for products that never touch third-party sale.
What Did New Jersey Actually Pass?
Governor Mikie Sherrill signed A5328 on June 30, 2026, making New Jersey the seventh state to enact a data broker law and the second this year after Connecticut. The headline number — $1.5 million in annual registration fees at the top tier — is real, but it's the structure underneath that matters.
The law establishes tiered annual fees ranging from $5,000 to $1.5 million. For context: California charges $6,000. Vermont charges $100. Connecticut's new law charges $2,500. New Jersey isn't in the same conversation — it's in a different building.
More consequentially, the law bans the sale of sensitive data outright. Not "allows with opt-in consent." Not "permits with a privacy impact assessment." Bans it. The amendment applies to all individuals and legal entities regardless of whether they're otherwise subject to the New Jersey Data Privacy Act. Civil penalties sit at $50,000 per record sold, offered for sale, or licensed. Sell a list of 1,000 records containing health data or precise geolocation? That's $50 million in exposure — on the civil side alone.
Why Does the "Data Collector" Category Matter So Much?
It matters because it doesn't exist anywhere else. The law extends beyond classic data brokers — companies whose primary business is aggregating and selling consumer data — to a new category called "data collectors." As ZwillGen's analysis notes, this concept does not appear in the data broker registration laws of California, Oregon, Texas, or Vermont. A potentially vast array of retail businesses, content publishers, and other companies could be swept in.
Think about what this means for AI products. If your application collects behavioral signals — click patterns, browsing history, purchase behavior, location traces — and you use that data to train models or personalize outputs, you may now qualify as a "data collector" under New Jersey law. You don't need to be selling that data to a third party. The category is about collection, not just brokerage.
The ambiguity is the point — or at least the problem. The law doesn't specify a reference period for counting consumers. It doesn't define clear registration deadlines for entities that aren't sure whether they qualify. And penalties accrue at $2,500 per day even for good-faith miscounting. One privacy officer described the industry reaction as "the equivalent of the 'Hold my beer' memes" — nobody anticipated that data collectors would be covered.
How Did This Law Pass in 48 Hours?
Speed-drafted legislation is becoming the norm for data and AI regulation, and this case is the clearest example yet. The bill was formally introduced and signed into law within two days, tied to New Jersey's budget process. It passed the Democrat-controlled legislature along party lines with little fanfare.
The revenue angle explains the velocity. Two days before the budget deadline, a data broker bill initially expected to raise $2.5 million was replaced and amended to generate an estimated $50 million, according to a legislative staffer estimate reported by Bloomberg Law. That's a 20x increase in projected revenue, introduced under budget pressure, with essentially no public comment period.
This isn't a story about careful policymaking. It's a story about legislatures discovering that data regulation is a revenue instrument — and moving accordingly.
What's the Status of Enforcement Right Now?
It's paused. New Jersey is holding off enforcement of the law that technically took effect immediately upon signing, following outcry from businesses about the record-setting fees and confusion about scope. The registry itself won't launch for 270 days — pointing to approximately March 27, 2027 — but the sensitive-data sale ban and the "data collector" provisions carried no such delay.
This is the real story, and most coverage is missing it. The enforcement pause signals legislative overreach colliding with implementation reality. The law may be revised, clarified, or narrowed before the registry deadline. But the directional intent is clear: New Jersey wants to make data brokerage expensive and sensitive-data sale impossible. Whether the specific dollar amounts survive is secondary to the regulatory posture.
There are also unintended casualties. Political campaigns, candidates, and party organizations are bracing for the possibility of losing access to critical voter data — a consequence that apparently wasn't contemplated during the 48-hour drafting window.
How Does This Connect to Surveillance Pricing Bans?
This is the convergence most analysts are treating as two separate stories, but it's one story. New Jersey's data broker law and the wave of surveillance-pricing bans sweeping state legislatures are targeting the same underlying behavior: algorithmic decisions built on inferred or behavioral data.
New Jersey state Senator Joe Cryan, co-sponsor of the state's separate Fair Price Protection Act, stated it plainly: "Surveillance pricing is an abuse of modern technology where artificial intelligence sets different prices for different customers." The mechanism of harm, in the legislator's own framing, is AI.
The legislative momentum is considerable. Maryland signed the nation's first surveillance-pricing ban in April 2026, focused on food retailers. Connecticut followed in May. New York's legislature cleared a One Fair Price Act in June. As of mid-2026, more than 40 bills across at least 24 states address surveillance pricing.
If you're building an AI product that uses behavioral data to personalize pricing, recommendations, or access — and most AI products do at least one of these — you're now operating in a landscape where the data inputs and the algorithmic outputs are both under legislative scrutiny, simultaneously, in different statutes, in different states, with different definitions.
What Does "More Than 35 States" of AI Legislation Actually Look Like?
It looks like a patchwork that's accreting faster than any product team can track manually. More than 35 states have active AI legislation as of early 2026, and the bills are getting more specific. They're no longer just "AI transparency" proposals — they're targeting data provenance, training-data governance, and the sale or licensing of data used in model training.
An industry survey found that 78% of organizations cannot validate data before it enters AI training pipelines, 77% cannot trace where their training data originated, and 53% have no mechanism to recover or remove training data after an incident. These numbers aren't surprising if you've worked in the space. They're just now becoming legally relevant.
Connecticut's amended privacy law, effective July 1, 2026, now applies to entities processing personal data of just 35,000 consumers — or any entity processing sensitive personal data or selling consumer personal data, regardless of volume. Thresholds are dropping fast. The direction is toward universal applicability.
Why Should AI Product Teams Care About Data Broker Laws?
Because the definition of "data broker" is expanding to include you. Not hypothetically — structurally.
If your AI product ingests behavioral data from users, trains on it, and serves personalized outputs, you're performing the functional equivalent of what data brokers do: collecting personal information, deriving inferences, and monetizing those inferences. The fact that you're not selling a CSV file to a marketing firm is a distinction that New Jersey's "data collector" category has already erased.
The sensitive-data ban is particularly relevant. Most AI products that use behavioral data will, at some point, process data that qualifies as "sensitive" under New Jersey's framework — health-related inferences, precise geolocation, financial information, data concerning minors. If any of that data is sold, licensed, or — depending on how future enforcement interprets "offered for sale" — made available to third parties through API access or model outputs, you're exposed to $50,000-per-record penalties.
The compliance math is straightforward: if you never sell or license user data, you sidestep the most punitive provisions of every data broker law on the books. If you minimize your sensitive-data footprint by design — not collecting what you don't need, not retaining what you don't use — you reduce surface area across all 35+ state AI bills simultaneously.
Is the Compliance Patchwork Itself the Opportunity?
Yes. The standard framing — "comply or die" — misses what's actually happening. The ambiguity of laws like New Jersey's, the speed at which they're enacted, and the near-certainty of revision before enforcement creates a structural incentive for AI companies to architect around data brokerage entirely.
A product that never touches third-party data sale isn't just ethically cleaner. It's cheaper to operate across jurisdictions. You don't need to parse whether you qualify as a "data collector" in New Jersey, a "data broker" in California, or a "controller processing sensitive data" in Connecticut. You don't need to register in seven states — and soon, likely twenty. You don't need to budget $1.5 million for a registration fee that may or may not survive its own enforcement pause.
Privacy-first architecture is becoming a compliance moat. Not because regulators are asking for it explicitly — they're still writing the rules — but because the directional intent across every active state legislature points toward the same destination: companies that collect, infer, and sell behavioral data will pay more, disclose more, and face more liability. Companies that don't, won't.
What Should You Actually Build For?
Build for directional intent, not statutory text. The text is going to change — New Jersey's law is already functionally paused, and the 270-day registry window means the implementing regulations don't exist yet. Parsing exact statutory language that may be revised within months is a waste of engineering time.
The directional intent is clear across all active legislation:
- Don't sell or license user data. Not to data brokers, not to advertisers, not through API access to model outputs that embed personal information. This is the single highest-leverage architectural decision you can make.
- Minimize sensitive-data collection. If you don't collect precise geolocation, you can't sell it. If you don't infer health conditions from behavioral patterns, you don't hold health data. The cheapest compliance is not having the data in the first place.
- Know your data provenance. When 78% of organizations can't validate data before it enters training pipelines, the bar for differentiation is low. Document where your training data comes from. Have a mechanism to remove it if needed. This will be table stakes within 18 months.
- Treat deletion as deletion. Not archival. Not soft-delete with a 90-day retention. Actual deletion. Several of the emerging state laws define deletion requirements, and the penalties for non-compliance are per-record.
How Are We Thinking About This at Selina?
We don't sell user data. We don't license it. We don't use it for third-party advertising. This isn't a recent policy decision prompted by New Jersey's law — it's how the product was built from the start. When your business model doesn't depend on data brokerage, data broker laws are someone else's problem.
Our architecture reflects this. Content is encrypted at rest. Files and transfers through SelinaSEND are end-to-end encrypted — zero-knowledge, meaning we can't read them. Memory is NOT end-to-end encrypted; a slice of each request reaches a frontier provider at inference. We state that plainly because it's true, and because overstating your encryption posture is the kind of thing that gets expensive when regulators start asking questions.
Non-content operational metadata is kept for a short retention window — not zero retention, because operational reliability requires some metadata, and claiming otherwise would be dishonest.
Delete means gone. Actually gone. Not "marked for deletion in the next quarterly purge." When you delete your data in Selina, we don't retain it, and we can't retrieve it. This is a product decision with real engineering cost — recovery becomes impossible — but it's the right trade in a regulatory environment where per-record penalties for data you shouldn't have kept can reach $50,000.
We route requests through a stack of frontier models, routed per task. We don't name our providers publicly — not for competitive secrecy, but because the routing changes and any specific claim would be stale within weeks. What doesn't change is the architecture: your data isn't used to train those models, and your content doesn't persist in their systems beyond the inference window.
None of this makes us immune to regulation. We're subject to the same emerging laws as everyone else. But when the regulatory trend is toward penalizing data sale and sensitive-data collection, a product that does neither starts from a structurally better position. That's not a marketing claim — it's arithmetic.
What Happens Next?
Three things to watch.
First, New Jersey's enforcement pause will resolve in one of two ways: the law gets revised (likely reducing fees, narrowing the "data collector" definition, or adding grace periods), or it gets enforced as written. Either way, the sensitive-data sale ban is probably permanent. It had broad political support and aligns with the consumer-protection framing that both parties find palatable.
Second, the surveillance-pricing bans will continue to multiply. With 24 states already considering bills and three having enacted them, this is no longer a regional experiment. Any AI product that touches pricing, personalization, or access decisions based on behavioral data will need to account for these laws — and they're being drafted by legislators who explicitly name AI as the mechanism of harm.
Third, the 78%-can't-validate-training-data number is going to become a regulatory target. It's the kind of statistic that shows up in legislative testimony and committee reports. Expect data-provenance requirements to appear in state AI bills within the next 12 months — not as aspirational guidance, but as enforceable obligations with per-violation penalties.
The pattern is clear. State legislatures have discovered that data regulation is both popular and revenue-generating. The bills are getting drafted faster, the definitions are getting broader, and the penalties are getting steeper. You can try to track and comply with each one individually — hiring a compliance team for every new state, parsing ambiguous definitions, budgeting for registration fees that might reach seven figures — or you can build a product that doesn't trigger any of them.
We chose the second option. not because we anticipated New Jersey specifically, but because the direction was obvious two years ago. The laws are just catching up.
If you want to see what an AI assistant looks like when it's built this way — memory that works without selling your data, encryption that's real where it's real and honestly limited where it's limited — start a free 7-day trial, no card required.
Frequently Asked Questions
What exactly did New Jersey's new law do?
Governor Mikie Sherrill signed A5328 on June 30, 2026, creating tiered annual data broker registration fees up to $1.5 million and banning the outright sale of sensitive data, with civil penalties of $50,000 per record sold, offered, or licensed.
What is a 'data collector' and why does it matter for AI companies?
It's a new category unique to New Jersey's law that covers entities collecting behavioral data—not just those selling it—meaning AI products using click patterns, browsing history, or location data to train or personalize models could qualify even without selling that data to third parties.
How did this law get passed so quickly?
It was introduced and signed within 48 hours as part of New Jersey's budget process, with little public debate, after being amended to boost projected revenue from about $2.5 million to an estimated $50 million.
Is the law currently being enforced?
No, enforcement is paused after businesses raised concerns over the fees and scope, though the sensitive-data sale ban and data collector provisions took effect immediately upon signing; the registry itself isn't required until roughly March 27, 2027.
How does this law relate to surveillance-pricing bans in other states?
Both target the same underlying issue—algorithmic decisions built on inferred or behavioral data—with New Jersey's data broker law restricting the data inputs while surveillance-pricing bans in states like Maryland, Connecticut, and New York restrict the algorithmic pricing outputs, together forming a broader regulatory pattern AI product teams need to watch.
Sources & References
- Independence Day surprise: New Jersey's costly new data broker law | IAPP
- New Jersey Adopts Sweeping New Data Broker Law, Effective Immediately: Wiley
- Fast-Tracked New Jersey Law Leaves Data Broker Industry Reeling
- New Jersey Enacts the Nation's Costliest Data Broker Law Yet | Privacy + Cyber + AI
- New Jersey Enacts the Nation's Costliest Data Broker Law Yet | Regulatory Oversight
- New Jersey Enacts New Data Broker Registration Requirements and Sensitive Data Restrictions
- New Jersey’s Highest-in-Nation Data Broker Fees Shock Industry
- New Jersey Enacts Broad Data Broker Law with Costly Fees and Severe Fines
- New Jersey Data Broker Law: The Most Expensive Data Broker Law in America and How to Comply - Captain Compliance
- New Jersey bans the sale of sensitive data and creates a new data broker registry
- New Jersey Delays Enforcing Highest-in-Nation Data Broker Fees
- N.J. campaigns brace for voter data shutdown under new law - New Jersey Globe
- S2316
- Surveillance Pricing Laws by State 2026: Algorithmic & Personalized Pricing Regulation | AI Laws by State
- The Price Isn’t Right: Emerging Patchwork of State Surveillance Pricing Bans Creates Compliance Complications for Businesses | Sheppard
- One Fair Price Act: New York's Developing Approach to Surveillance Pricing | Loeb & Loeb LLP
- Maryland Becomes the First State to Restrict Surveillance Pricing in the Food Industry | Skadden, Arps, Slate, Meagher & Flom LLP
- Maryland Leads Wave of State Surveillance Pricing Regulation, with Colorado and Connecticut Quickly Following | Insights | Venable LLP
- Surveillance Pricing 2026: 24 States Move to Ban Algorithms - State of Surveillance
- New Jersey becomes second state to ban surveillance pricing
- Maryland Bans Surveillance Pricing for Food Retailers | MultiState
- N.Y. state lawmakers pass bill banning surveillance pricing
- Surveillance Pricing: The Next Frontier of Privacy Litigation | Publications | Insights | Faegre Drinker Biddle & Reath LLP
- 2026 Legislative Update: New Data Privacy & AI Laws | LP
- U.S. Privacy Laws Legislative Update | Privacy Matters
- Proposed State Privacy and AI Law Update: June 1, 2026 | Privacy + Cyber + AI
- State AI Legislation 2026: New Compliance Rules to Prepare For
- Proposed State Privacy and AI Law Update: May 11, 2026 | Privacy + Cyber + AI
- Proposed State Privacy and AI Law Update: May 25, 2026 | Privacy + Cyber + AI
- 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026 | Privacy World
- State-by-State AI Security Legislation: Q2 2026 Tracker | IntelliSee Intelligence
- Key Takeaways on Proposed State AI and Privacy Laws: January 2026 | Privacy + Cyber + AI
- 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026 | Insights | Squire Patton Boggs
