There’s been a lot of noise around New Jersey’s newly enacted data broker and data collector law (A5328).
Some of that noise sounded like relief: Don’t worry — there’s a moratorium.
Privacy attorney Ben Isaacson pushed back on that narrative. And the New Jersey Division of Consumer Affairs alert is worth reading carefully for the same reason.

What the official alert is (and isn’t) saying
According to New Jersey’s Office of Consumer Protection / Division of Consumer Affairs alert:
- Registration is deferred — Covered data brokers and data collectors do not need to register or pay the new fees until the first registration period in 2027.
- Sensitive data restrictions are not vaporware — The law’s restrictions around selling or licensing sensitive personal data remain in effect and can still be enforced.
- Guidance is coming — DCA has signaled more clarity is on the way. That does not mean “business as usual until further notice.”
Source: New Jersey Division of Consumer Affairs — Alerts
In other words: New Jersey slowed the registry/fee machinery. It did not greenlight unrestricted sensitive-data commerce.
Why this matters beyond New Jersey
A5328 is aggressive by design:
- Broad coverage of both data brokers and data collectors
- A public registry model
- High registration fees (once live)
- Severe penalties tied to prohibited sensitive-data sales/licenses
Even with registration delayed, the market takeaway is blunt:
Opacity is getting priced out.
States are no longer only asking “did you disclose?”
They’re asking “did you sell something you shouldn’t?” and “who are you in the chain?”
If your acquisition or activation stack depends on inferred sensitive attributes moving through layered broker relationships, you’re not just managing privacy risk. You’re managing model risk.
The false choice: stop using data, or keep gambling
Every time a state tightens the screws, the industry splits into two camps:

