New Jersey Is Considering Seven-Figure Annual Fees on Big Tech’s Data Brokers. Here Is What That Means.

New Jersey lawmakers are weighing a significant escalation in the state’s approach to regulating the multi-billion-dollar data broker industry, with a leaked draft amendment to Senate Bill 2316 circulated among Trenton insiders and reported in Politico’s New Jersey Playbook proposing seven-figure annual registration fees that would apply to major technology companies collecting and monetizing the personal data of New Jersey residents. The amendment represents a dramatic departure from the current bill text, which sets the annual registration fee for data brokers at $5,500 — a figure that, in an industry where the largest players generate revenue by selling access to the personal information of hundreds of millions of people, is not meaningfully consequential to compliance decisions. The proposed leap to million-dollar annual fees for major tech operators is the Legislature’s attempt to make the regulatory cost proportionate to the scale of the operation being regulated.

The bill itself, S2316, was introduced by Senator John F. McKeon of District 27 (Essex and Passaic) and was reported from the Senate Budget and Appropriations Committee on June 28 — the same Sunday that the Legislature was advancing its $60.7 billion FY27 budget. The timing is not coincidental. S2316 and its companion data privacy measures are part of a broader regulatory push that Trenton has been building since New Jersey enacted its comprehensive Data Protection Act in January 2025, and the question of how to structure meaningful enforcement economics for the data broker sector has been one of the central unresolved issues since that law’s passage.

What a Data Broker Is and Why New Jersey Has Standing to Regulate Them

Before examining the fee structure debate, it is worth establishing precisely what the legislation defines as a data broker and why that definition encompasses some of the largest and most profitable technology companies in the world. Under S2316, a data broker is a business that collects or purchases the personal data of consumers with whom it does not have a direct relationship and then sells, licenses, or otherwise provides that data to third parties. The absence of a direct relationship is the key distinguishing element: a retailer that collects purchasing data from its own customers is not a data broker in this framework. A company that acquires data about individuals who have never interacted with it directly — from third-party sources, from other companies’ user bases, from public records aggregations — and then sells access to that data is the target the bill is designed to reach.

The industry that this definition describes is enormous and, by most measures, dramatically underregulated relative to the value it extracts and the harm it can cause. Data brokers maintain profiles on virtually every American adult, incorporating information about income, health conditions, political affiliation, purchasing behavior, precise location history, family composition, credit history, and an ever-expanding range of attributes derived from digital activity. They sell access to these profiles to advertisers, insurance companies, employers, landlords, political campaigns, law enforcement agencies, and any other buyer willing to pay. The individuals whose information is being sold typically have no knowledge of the transaction, no ability to review the profile that exists about them, and no practical mechanism for correcting errors or demanding deletion.

New Jersey’s basis for regulating this industry is both geographic and economic. The state contains more than nine million residents whose personal information is being processed by data brokers — nine million people whose racial and ethnic backgrounds, health records, religious beliefs, financial circumstances, sexual orientations, immigration statuses, and precise location histories are available for purchase by anyone with a subscription to the right data service. The state has a public interest in establishing standards for how that information is collected, what categories of sensitive information may not be sold regardless of consent, and what financial obligations data brokers must meet as a condition of operating in New Jersey’s market.

The New Jersey Data Protection Act, which took effect in January 2025, established the foundational framework. S2316 builds on that foundation by specifically targeting the data broker subset of the data economy — the companies whose entire business model is built on brokering information rather than companies that collect data as an ancillary element of another primary service.

The Bill’s Core Provisions: What S2316 Actually Requires

The substantive requirements in S2316 go significantly beyond the fee structure debate, establishing a comprehensive regulatory relationship between data brokers and the New Jersey Division of Consumer Affairs that would be among the most detailed in any state in the country.

The bill requires every data broker operating in New Jersey — defined as any entity processing the personal data of New Jersey consumers — to register annually with the Division of Consumer Affairs and provide the Division with specific information about its operations. The required disclosures include the data broker’s name and physical address, a general email address through which consumers can request information about privacy policies, a website address for the company’s privacy policies, and any relevant opt-out procedures. Beyond basic identification, the bill requires data brokers to disclose their data collection practices, their database operations, their sales activities, their data breach history including the number of individuals affected by each breach, and their specific practices with respect to the personal information of individuals under the age of 18.

The under-18 provision deserves specific attention because it addresses a dimension of data broker activity that has generated particular concern among child safety advocates and state lawmakers: the construction and sale of profiles on minors based on data collected without parental knowledge or consent. The bill requires data brokers to separately describe their collection practices and opt-out procedures for minors, and it requires disclosure of whether the broker has actual knowledge that it possesses the personal information of individuals under 18. This transparency requirement is designed to create a paper trail that enables both regulatory enforcement and private legal action when data brokers violate existing requirements around the handling of children’s information.

The bill’s most sweeping substantive restriction is an outright prohibition on the sale of sensitive data, regardless of the volume involved. The category of sensitive data is defined broadly: racial or ethnic origin; religious beliefs; health conditions; financial account information; sexual orientation and gender identity; citizenship and immigration status; genetic data; biometric data used for identification; and precise geolocation data. Under S2316, a data broker cannot sell, license, or otherwise furnish any of these categories of information to third parties under any circumstances, without exception based on quantity or context. This is a categorical prohibition rather than a consent-based framework — the legislation does not create a pathway for consumers to opt in to the sale of their sensitive data. It simply prohibits the commercial transaction regardless of consent.

The sensitive data prohibition is the provision that most directly implicates the largest technology companies in the data broker space, because the profiles those companies maintain about individual users frequently include health-related inferences drawn from search history, location patterns indicative of religious practice, purchasing behavior correlated with financial circumstances, and biometric data collected through voice recognition and facial recognition applications. The question of whether any of these inferences or correlations meets the bill’s definition of sensitive data will be the subject of significant litigation if and when the legislation becomes law.

The Fee Structure: From $100 to $5,500 to Seven Figures

The evolution of the annual registration fee structure within S2316’s legislative history reflects the Legislature’s ongoing attempt to calibrate the bill’s economic impact on different categories of data broker.

The bill as originally introduced in January 2026 set the annual registration fee at $100 — a nominal amount that critics characterized immediately as inadequate to fund meaningful enforcement, let alone to create any financial deterrent for an industry whose major players generate hundreds of millions or billions of dollars in revenue annually from the sale of personal information. A $100 annual fee for a company like Acxiom, Experian Marketing Services, or LexisNexis Risk Solutions — companies whose entire business is the compilation and sale of consumer data at scale — is a rounding error in their compliance budgets and provides no meaningful regulatory signal about the state’s seriousness.

The Senate Commerce Committee substitute version of the bill, which was reported from committee on May 18 and moved to the Senate Budget and Appropriations Committee, raised the annual registration fee to $5,500 — a significant proportional increase from the $100 baseline but still a figure that most data brokers of any significant scale would absorb without difficulty and without any meaningful impact on their operating economics. The $5,500 fee is sufficient to fund basic registry maintenance and some administrative enforcement capacity. It is not sufficient to reflect the scale of the industry’s revenue extraction from New Jersey residents or to create a financial incentive for companies to substantially modify their data collection practices.

The leaked draft amendment that Politico’s New Jersey Playbook reported last week represents a third position on the fee question — one that has not been formally introduced as legislation but that is apparently under active consideration by the lawmakers who have been building this regulatory framework. A seven-figure annual fee — meaning a fee at or above $1 million — applied to major technology companies processing significant volumes of New Jersey residents’ personal data would be a fundamentally different kind of regulatory instrument than the $5,500 base fee. It would generate substantial state revenue for enforcement purposes, potentially exceeding the enforcement funding generated by any other state data privacy program in the country. It would create a financial cost that is visible on the income statements of the companies being regulated rather than disappearing into administrative overhead. And it would establish New Jersey as the most aggressive state in the country in terms of the financial burden it places on data brokers operating within its jurisdiction.

Whether that last outcome is a feature or a bug in the legislation’s design depends on whose perspective you are applying. Proponents of the seven-figure fee would argue that an industry generating billions of dollars from the personal information of Americans — information collected without meaningful consent, assembled without the subjects’ knowledge, and sold to buyers whose purposes are not disclosed — has been operating for decades with essentially no proportionate financial accountability to the states where the people whose data is being sold actually live. A seven-figure annual fee, in this view, is not punitive. It is a belated attempt to impose a cost on a profitable business activity that has externalized most of its costs onto the individuals whose privacy it compromises.

The technology and data industry’s response to fee proposals of this magnitude is predictable and has been previewed in the responses to similar proposals in other states: that the fees would be challenged in court on commerce clause and due process grounds, that the compliance cost would be passed through to consumers who use platforms that depend on data-broker-sourced audience targeting, and that New Jersey would be making itself less competitive as a technology business environment compared to states with more permissive regulatory frameworks.

The New Jersey Data Protection Act: The Foundation S2316 Is Building On

S2316 does not exist in regulatory isolation. The New Jersey Data Protection Act, signed into law in January 2025, established the foundational framework that makes S2316 possible: it defined the categories of personal data that are subject to state protection, established consumer rights including the right to access, correct, and delete personal data, created opt-out rights for certain categories of data processing, and set up the enforcement architecture through which violations would be addressed. The NJDPA’s cure period — the window during which businesses were given the opportunity to correct violations before facing enforcement actions — expired on July 1, 2026, the day before this article is being published. From this point forward, violations are immediately actionable without a cure period.

The expiration of the cure period is not an administrative detail. It signals a transition from the NJDPA’s implementation phase — during which businesses were expected to be building compliant systems and processes — to its enforcement phase, in which the Division of Consumer Affairs will be expected to actively investigate complaints, identify violations, and impose penalties. The $5,500 data broker registration fee established in S2316’s current text would fund some portion of that enforcement capacity. A seven-figure fee would fund substantially more.

The interaction between S2316 and the NJDPA creates a regulatory ecosystem that is becoming genuinely complex for the data industry to navigate in New Jersey. The prohibition on selling sensitive data without consent; the registration and disclosure requirements; the enforcement funding generated by the registration fee; and the expiration of the NJDPA’s cure period all converge to make New Jersey an increasingly consequential jurisdiction for companies whose business models depend on processing and selling personal data at scale.

The Broader National Context: New Jersey Is Not Alone

New Jersey’s legislative activity on data broker regulation is part of a national pattern that has been accelerating since California enacted the California Consumer Privacy Act in 2018 and the California Privacy Rights Act in 2020. As of 2026, nineteen states have enacted comprehensive data privacy laws, and additional states are at various stages of the legislative process. The specific question of data broker fees has emerged as one of the most contested issues in that national pattern, because fee structures determine whether data privacy laws have meaningful enforcement capacity or exist primarily as symbolic legislative commitments.

California Attorney General Rob Bonta’s January 2026 announcement of an investigative sweep into retailers, grocers, and travel companies suspected of using consumer personal data to adjust prices for individual consumers — what advocates call surveillance pricing — signals the direction in which state regulatory attention is heading. If the personal data that data brokers collect and sell is being used to charge different consumers different prices for the same goods and services based on inferences about their income, location, or demographic profile, the downstream harm from data broker activity extends from privacy violation into economic discrimination. That dimension of the data economy is likely to further intensify legislative pressure in states like New Jersey that have already established a data privacy foundation and are now determining how to enforce it with appropriate financial consequence.

The New York Algorithmic Pricing Disclosure Act, which took effect late in 2025 as the first enacted statute of its kind in the nation, adds an adjacent regulatory layer to the regional environment surrounding New Jersey. The proximity of New Jersey to New York — and the overlap in the population of companies regulated by both states’ privacy and data laws — means that companies navigating New Jersey’s evolving data broker requirements are doing so in a multi-jurisdictional context that makes the compliance calculus considerably more complex than it would be in either state alone.

What S2316’s Next Steps Look Like

The bill was reported from the Senate Budget and Appropriations Committee on June 28 and now awaits a vote by the full Senate. The timing of the leaked draft amendment for seven-figure fees suggests that negotiations over the bill’s final fee structure are active and unresolved, and that at least some members of the Legislature believe the $5,500 figure that emerged from the Senate Commerce Committee process is insufficient to accomplish the bill’s regulatory objectives.

The Assembly companion bill, A5328, is at an earlier stage in its chamber’s process. Final passage of S2316 in any form will require concurrent Assembly action and the governor’s signature. Governor Sherrill has not issued a specific statement on S2316, but her administration’s posture on data privacy more broadly — including the separate legislation requiring AI data center operators to disclose their water and electricity consumption, and the administration’s stated commitment to protecting New Jersey residents from technology industry practices that harm them — is consistent with support for meaningful data broker regulation.

For New Jersey’s nine million residents, the fee structure debate in S2316 is not abstract. It determines whether the state’s data broker registry is an administrative formality funded by nominal fees, or an enforcement infrastructure with the resources to investigate complaints, identify violations, and impose penalties on companies that are generating significant revenue from the sale of information about people who live here. The answer to that question will shape what data privacy in New Jersey actually means — not in the language of the statute but in the practical experience of enforcement.

Related articles

spot_imgspot_imgspot_imgspot_img