ARTICLE
14 July 2026

Vermont And New Jersey Data Broker Laws Add To Expanding State Privacy Patchwork

DL
Davis+Gilbert LLP

Contributor

Davis+Gilbert LLP is a strategically focused, full-service mid-sized law firm of more than 130 lawyers. Founded over a century ago and located in New York City, the firm represents a wide array of clients – ranging from start-ups to some of the world's largest public companies and financial institutions.
Vermont and New Jersey have enacted sweeping data broker legislation that imposes registration requirements, disclosure obligations, and substantial penalties on businesses that collect and sell consumer personal data without direct relationships. How will these new frameworks reshape the data brokerage industry and what immediate compliance steps must affected companies take?
United States New Jersey Vermont Privacy
Davis+Gilbert LLP are most popular:
  • with Finance and Tax Executives and Inhouse Counsel
  • with readers working within the Accounting & Consultancy industries

Update

On Friday July 10, the New Jersey Attorney General’s Division of Consumer Affairs responded to concerns from businesses about the obligation to immediately register and pay the applicable fees by delaying the registration obligation until 2027.

The Bottom Line

  • Vermont and New Jersey have enacted significant new data broker legislation, imposing registration requirements, disclosure obligations, and substantial penalties on businesses that collect and sell consumer personal data without a direct relationship.
  • Vermont substantially expands its existing data broker registration framework with broadened definitions, enhanced purchaser credentialing requirements, a new security breach notice regime, and a mandate to study a California-style accessible deletion mechanism.
  • New Jersey creates an entirely new data broker and data collector regulatory regime with tiered registration fees reaching up to $1.5 million, a blanket prohibition on the sale or licensing of sensitive data, and $50,000-per-record penalties for violations.
  • Companies operating in the data broker ecosystem should immediately assess whether they qualify as data brokers or data collectors in each state, inventory sensitive data categories, and prepare jurisdiction-specific registration submissions and compliance programs.

The regulatory landscape for data brokers continues to intensify as states enact targeted legislation governing the collection and sale of personal data by entities that lack direct consumer relationships. Less than two months after Connecticut enacted a new data broker law, Vermont and New Jersey are the latest states to join this trend, each adopting distinct approaches requiring careful attention from affected businesses.

Vermont’s law significantly amends the state’s existing data broker registration framework, with key provisions effective January 1, 2027. New Jersey’s legislation (A.B. 5328) regulates data brokers, data collectors, and certain sensitive information, taking effect immediately upon enactment, with the public registry inoperative for 270 days.

Together, these laws reflect a legislative consensus that existing privacy frameworks are insufficient to address the unique risks posed by the data brokerage industry.

Vermont Data Broker Law — Key Provisions

Expanded Definition of Brokered Personal Information

Vermont significantly broadens “brokered personal information” to cover any information, including derived data and unique identifiers, linked or reasonably linkable to an identified or identifiable individual or household device. Publicly available information is excluded, but biometric data collected without consumer knowledge, obscene visual depictions, nonconsensual intimate images, and genetic data (unless consumer-disclosed) are no longer considered public.

Clarified Data Broker and Direct Relationship Definitions

Vermont defines a “data broker” as a business that knowingly collects and sells or licenses brokered personal information of a Vermont consumer with whom the business does not have a direct relationship. A “direct relationship” now requires that the consumer intends to interact with the business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services. Companies cannot claim that they have a direct relationship simply because they collect data directly from the consumer — the consumer must intend to interact with the business.

Purchaser Credentialing

Data brokers must maintain procedures requiring prospective users to identify themselves, state purposes, certify use limitations, submit to verification, and refrain from disclosure where misuse is suspected.

Prior to disclosing brokered personal information, the data broker must make a reasonable effort to:

  • verify the identity of the prospective user;
  • review the user’s stated purposes for seeking the information; and
  • not disclose the information to the user if the data broker has reasonable grounds to believe that the data will be used for different purposes than those disclosed to the data broker or to violate State or federal law.

These affirmative obligations for data brokers to monitor and vet prospective data recipients are unique to Vermont.

Security Breach Notice

Vermont creates a dedicated data broker breach notice framework requiring notice to affected consumers within 45 days after discovery, preliminary notice to the Attorney General within 14 business days, and specified content requirements. A “misuse not reasonably possible” exception is available.

Registration Requirements

Registration is required within 30 days of meeting the definition, and by July 1 annually. Requirements include a $900 fee, $20,000 surety bond, and detailed disclosures covering contact information, purchaser credentialing practices, breach history, minors’ data practices, sensitive data categories, and whether data has been shared with foreign actors, governments, law enforcement (absent legal process), or GenAI developers. Opt-out/deletion URLs, privacy policy copies, and FCRA status must also be disclosed.

Failure to register could result in fines of $200 per day plus fees and state costs. Registering with materially incorrect information entails fines of $25,000 plus $1,000 per day that the information is not corrected. Violations constitute unfair and deceptive acts, and the Attorney General has rulemaking, investigation, and civil action authority.

Public Registry

The Secretary of State must maintain a publicly accessible downloadable spreadsheet of all registered data brokers with consumer-rights information.

Deletion Mechanism Study

Vermont directs the Secretary of State to study the feasibility of an accessible deletion mechanism similar to California’s Delete Act, with an interim report due December 2027 and a final report (including proposed legislation) due December 2028.

New Jersey Data Broker Law — Key Provisions

Scope and Structure

New Jersey A.B. 5328 regulates data brokers, data collectors, and the collection and dissemination of certain sensitive information.

Data Brokers and Data Collectors

New Jersey is unique in that it not only regulates the activities of “data brokers,” persons or entities that knowingly collect or purchase consumer personal data without a direct relationship and sell or license it to a third party, but also “data collectors,” which are businesses that do have a direct relationship with consumers and knowingly sell or license personal data to a data broker.

This means that, as a consequence of providing data to data brokers, companies may be required to register with the State even if they are not data brokers themselves. This is a radical departure from other state data broker laws.

Public Registry

The Division of Consumer Affairs must maintain a public registry of data brokers and data collectors, including entity name, physical address, email, website, privacy policy URL, and opt-out information. Registry information must be updated annually. Breach and cybersecurity history is not published.

Tiered Registration Fees

Each data broker and data collector must register annually and pay fees based on the number of consumers whose data is sold or licensed. This model diverges from other states that have a set fee for all data brokers, regardless of the amount of data that they sell. Annual registration fees range from $5,000 to $1.5 million based on the volume of consumer data sold or licensed.

Registration Disclosures

Registration submissions must include primary contact information, opt-out practices and limitations, deletion permissions, purchaser credentialing practices, breach/cybersecurity event history, minors’ data practices, and processors used.

Sensitive Data Sale Prohibition

New Jersey imposes a blanket prohibition: data brokers and data collectors may not sell or license sensitive data to any other individual or entity.

“Sensitive data” includes racial/ethnic origin, religious beliefs, health information, financial data (account numbers with security codes), sex life/orientation, citizenship/immigration status, transgender/non-binary status, genetic/biometric data, children’s data, and precise geolocation.

Penalties and Enforcement

Failure to register or pay registration fees could result in penalties of $2,500 per day. The penalty for selling or licensing sensitive data amounts to $50,000 per record. Civil penalties are enforced by the Division of Consumer Affairs in summary proceedings, and the Director has rulemaking authority.

How These Laws Compare to California

Vermont

Vermont now borrows several Delete Act-style concepts from California, including expanded disclosure categories and a $200-per-day registration penalty. However, Vermont does not yet impose California’s operational deletion requirements and third-party audit mandates.

Vermont’s deletion-mechanism study may lead to comparable legislation, but for now the state occupies a middle ground between pure registration and operational mandate.

New Jersey

New Jersey takes a fundamentally different approach from California, focusing on registration fees and penalties. New Jersey’s $50,000-per-record penalty for sensitive data sales and tiered fees up to $1.5 million represent perhaps the most aggressive financial enforcement framework of any state data broker law. New Jersey also reaches data collectors (entities with direct consumer relationships that sell data to brokers), a category not separately regulated in California.

New Jersey does not create a statewide deletion mechanism, require deletion-request metrics, or mandate third-party audits as California does.

What This Means for Businesses

Businesses that collect, purchase, sell, or license consumer personal data should take the following steps in light of these developments:

  • Map data broker and data collector status across jurisdictions. Determine whether your business meets the definition of a “data broker” under the laws of Vermont, New Jersey, and other states — and separately whether it qualifies as a “data collector” under New Jersey law. State definitions are not identical.
  • Reassess direct relationship assumptions. Vermont’s narrowed definition means that merely collecting data from consumers or interacting to verify identity may no longer suffice to avoid data broker classification. Review existing consumer touchpoints under each state’s framework.
  • Inventory sensitive and high-risk data categories. New Jersey’s blanket prohibition on selling sensitive data, with $50,000-per-record penalties, makes it imperative to identify and segregate sensitive data categories throughout data flows.
  • Prepare jurisdiction-specific registry submissions. Vermont, New Jersey, and other states each require different disclosures, deadlines, and fees. Develop a compliance calendar and standardized information-gathering processes.
  • Evaluate purchaser credentialing and contractual controls. Vermont’s mandatory purchaser credentialing framework requires affirmative steps beyond current market practice, including identity verification, purpose-limitation certification, and use-restriction requirements.
  • Strengthen breach and cybersecurity event tracking. Vermont’s 45-day breach notice and 14-business-day Attorney General preliminary notice requirements, combined with New Jersey’s registration disclosure of breach history, require robust incident-tracking systems.
  • Build scalable consumer deletion and opt-out processes. California’s operational deletion mechanism (45-day recurring obligations beginning August 2026) sets the current high-water mark, but Vermont’s feasibility study may produce comparable legislation by 2029. Design scalable infrastructure now rather than building state-by-state solutions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More