- with Finance and Tax Executives and Inhouse Counsel
- with readers working within the Accounting & Consultancy industries
Update
On Friday July 10, the New Jersey Attorney General’s Division of Consumer Affairs responded to concerns from businesses about the obligation to immediately register and pay the applicable fees by delaying the registration obligation until 2027.
The Bottom Line
- Vermont and New Jersey have enacted significant new data broker legislation, imposing registration requirements, disclosure obligations, and substantial penalties on businesses that collect and sell consumer personal data without a direct relationship.
- Vermont substantially expands its existing data broker registration framework with broadened definitions, enhanced purchaser credentialing requirements, a new security breach notice regime, and a mandate to study a California-style accessible deletion mechanism.
- New Jersey creates an entirely new data broker and data collector regulatory regime with tiered registration fees reaching up to $1.5 million, a blanket prohibition on the sale or licensing of sensitive data, and $50,000-per-record penalties for violations.
- Companies operating in the data broker ecosystem should immediately assess whether they qualify as data brokers or data collectors in each state, inventory sensitive data categories, and prepare jurisdiction-specific registration submissions and compliance programs.
The regulatory landscape for data brokers continues to intensify as states enact targeted legislation governing the collection and sale of personal data by entities that lack direct consumer relationships. Less than two months after Connecticut enacted a new data broker law, Vermont and New Jersey are the latest states to join this trend, each adopting distinct approaches requiring careful attention from affected businesses.
Vermont’s law significantly amends the state’s existing data broker registration framework, with key provisions effective January 1, 2027. New Jersey’s legislation (A.B. 5328) regulates data brokers, data collectors, and certain sensitive information, taking effect immediately upon enactment, with the public registry inoperative for 270 days.
Together, these laws reflect a legislative consensus that existing privacy frameworks are insufficient to address the unique risks posed by the data brokerage industry.
Vermont Data Broker Law — Key Provisions
Expanded Definition of Brokered Personal Information
Vermont significantly broadens “brokered personal information” to cover any information, including derived data and unique identifiers, linked or reasonably linkable to an identified or identifiable individual or household device. Publicly available information is excluded, but biometric data collected without consumer knowledge, obscene visual depictions, nonconsensual intimate images, and genetic data (unless consumer-disclosed) are no longer considered public.
Clarified Data Broker and Direct Relationship Definitions
Vermont defines a “data broker” as a business that knowingly collects and sells or licenses brokered personal information of a Vermont consumer with whom the business does not have a direct relationship. A “direct relationship” now requires that the consumer intends to interact with the business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services. Companies cannot claim that they have a direct relationship simply because they collect data directly from the consumer — the consumer must intend to interact with the business.
Purchaser Credentialing
Data brokers must maintain procedures requiring prospective users to identify themselves, state purposes, certify use limitations, submit to verification, and refrain from disclosure where misuse is suspected.
Prior to disclosing brokered personal information, the data broker must make a reasonable effort to:
- verify the identity of the prospective user;
- review the user’s stated purposes for seeking the information; and
- not disclose the information to the user if the data broker has reasonable grounds to believe that the data will be used for different purposes than those disclosed to the data broker or to violate State or federal law.
These affirmative obligations for data brokers to monitor and vet prospective data recipients are unique to Vermont.
Security Breach Notice
Vermont creates a dedicated data broker breach notice framework requiring notice to affected consumers within 45 days after discovery, preliminary notice to the Attorney General within 14 business days, and specified content requirements. A “misuse not reasonably possible” exception is available.
Registration Requirements
Registration is required within 30 days of meeting the definition, and by July 1 annually. Requirements include a $900 fee, $20,000 surety bond, and detailed disclosures covering contact information, purchaser credentialing practices, breach history, minors’ data practices, sensitive data categories, and whether data has been shared with foreign actors, governments, law enforcement (absent legal process), or GenAI developers. Opt-out/deletion URLs, privacy policy copies, and FCRA status must also be disclosed.
Failure to register could result in fines of $200 per day plus fees and state costs. Registering with materially incorrect information entails fines of $25,000 plus $1,000 per day that the information is not corrected. Violations constitute unfair and deceptive acts, and the Attorney General has rulemaking, investigation, and civil action authority.
Public Registry
The Secretary of State must maintain a publicly accessible downloadable spreadsheet of all registered data brokers with consumer-rights information.
Deletion Mechanism Study
Vermont directs the Secretary of State to study the feasibility of an accessible deletion mechanism similar to California’s Delete Act, with an interim report due December 2027 and a final report (including proposed legislation) due December 2028.
New Jersey Data Broker Law — Key Provisions
Scope and Structure
New Jersey A.B. 5328 regulates data brokers, data collectors, and the collection and dissemination of certain sensitive information.
Data Brokers and Data Collectors
New Jersey is unique in that it not only regulates the activities of “data brokers,” persons or entities that knowingly collect or purchase consumer personal data without a direct relationship and sell or license it to a third party, but also “data collectors,” which are businesses that do have a direct relationship with consumers and knowingly sell or license personal data to a data broker.
This means that, as a consequence of providing data to data brokers, companies may be required to register with the State even if they are not data brokers themselves. This is a radical departure from other state data broker laws.
Public Registry
The Division of Consumer Affairs must maintain a public registry of data brokers and data collectors, including entity name, physical address, email, website, privacy policy URL, and opt-out information. Registry information must be updated annually. Breach and cybersecurity history is not published.
Tiered Registration Fees
Each data broker and data collector must register annually and pay fees based on the number of consumers whose data is sold or licensed. This model diverges from other states that have a set fee for all data brokers, regardless of the amount of data that they sell. Annual registration fees range from $5,000 to $1.5 million based on the volume of consumer data sold or licensed.
Registration Disclosures
Registration submissions must include primary contact information, opt-out practices and limitations, deletion permissions, purchaser credentialing practices, breach/cybersecurity event history, minors’ data practices, and processors used.
Sensitive Data Sale Prohibition
New Jersey imposes a blanket prohibition: data brokers and data collectors may not sell or license sensitive data to any other individual or entity.
“Sensitive data” includes racial/ethnic origin, religious beliefs, health information, financial data (account numbers with security codes), sex life/orientation, citizenship/immigration status, transgender/non-binary status, genetic/biometric data, children’s data, and precise geolocation.
Penalties and Enforcement
Failure to register or pay registration fees could result in penalties of $2,500 per day. The penalty for selling or licensing sensitive data amounts to $50,000 per record. Civil penalties are enforced by the Division of Consumer Affairs in summary proceedings, and the Director has rulemaking authority.
How These Laws Compare to California
Vermont
Vermont now borrows several Delete Act-style concepts from California, including expanded disclosure categories and a $200-per-day registration penalty. However, Vermont does not yet impose California’s operational deletion requirements and third-party audit mandates.
Vermont’s deletion-mechanism study may lead to comparable legislation, but for now the state occupies a middle ground between pure registration and operational mandate.
New Jersey
New Jersey takes a fundamentally different approach from California, focusing on registration fees and penalties. New Jersey’s $50,000-per-record penalty for sensitive data sales and tiered fees up to $1.5 million represent perhaps the most aggressive financial enforcement framework of any state data broker law. New Jersey also reaches data collectors (entities with direct consumer relationships that sell data to brokers), a category not separately regulated in California.
New Jersey does not create a statewide deletion mechanism, require deletion-request metrics, or mandate third-party audits as California does.
What This Means for Businesses
Businesses that collect, purchase, sell, or license consumer personal data should take the following steps in light of these developments:
- Map data broker and data collector status across jurisdictions. Determine whether your business meets the definition of a “data broker” under the laws of Vermont, New Jersey, and other states — and separately whether it qualifies as a “data collector” under New Jersey law. State definitions are not identical.
- Reassess direct relationship assumptions. Vermont’s narrowed definition means that merely collecting data from consumers or interacting to verify identity may no longer suffice to avoid data broker classification. Review existing consumer touchpoints under each state’s framework.
- Inventory sensitive and high-risk data categories. New Jersey’s blanket prohibition on selling sensitive data, with $50,000-per-record penalties, makes it imperative to identify and segregate sensitive data categories throughout data flows.
- Prepare jurisdiction-specific registry submissions. Vermont, New Jersey, and other states each require different disclosures, deadlines, and fees. Develop a compliance calendar and standardized information-gathering processes.
- Evaluate purchaser credentialing and contractual controls. Vermont’s mandatory purchaser credentialing framework requires affirmative steps beyond current market practice, including identity verification, purpose-limitation certification, and use-restriction requirements.
- Strengthen breach and cybersecurity event tracking. Vermont’s 45-day breach notice and 14-business-day Attorney General preliminary notice requirements, combined with New Jersey’s registration disclosure of breach history, require robust incident-tracking systems.
- Build scalable consumer deletion and opt-out processes. California’s operational deletion mechanism (45-day recurring obligations beginning August 2026) sets the current high-water mark, but Vermont’s feasibility study may produce comparable legislation by 2029. Design scalable infrastructure now rather than building state-by-state solutions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]