New Jersey wants to ban the sale of sensitive personal data and fine violators $50,000 per record - a sharp new risk for insurers.
Assembly Bill 5332 landed June 28, 2026, sponsored by Assemblyman William F. Moen, Jr. Lawmakers sent it straight to the Assembly Financial Institutions and Insurance Committee - a fair clue about who it touches. The bill would amend the state's existing privacy law, P.L.2023, c.266, and add fresh rules to Title 56 of the Revised Statutes.
The heart of it is one flat rule. No data broker - and the bill folds "controllers" into that group - could "sell, offer for sale, license, or otherwise furnish, provide, or transmit" sensitive data to anyone. Cross that line, and the bill sets a penalty of $50,000 "for each record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted." Sell a thousand records, and you are staring at a $50 million problem.
Read the bill's definition of "sensitive data" and you will see why carriers should care. It sweeps in a consumer's "mental or physical health condition, treatment, or diagnosis," financial account numbers and passwords, "genetic or biometric data," citizenship or immigration status, and "precise geolocation data" - a location pinned within 1,750 feet. That is the everyday fuel of underwriting, claims and telematics.
The bill would also stand up a public registry. Any broker handling New Jersey consumers' data would register with the Division of Consumer Affairs every year, pay a $5,500 fee, and hand over details including "a history of data breaches and other cybersecurity events" and how consumers can opt out. The registry would list each broker's name, address, websites and opt-out information for the public to see. Miss the deadline or let the information go stale, and the bill adds a separate fine: $2,500 "for each day" out of compliance.
There is a way out for regulated firms. A "financial institution or an affiliate of a financial institution" engaged in financial activities under the federal Bank Holding Company Act of 1956 - and "regulated and examined by the New Jersey Department of Banking and Insurance or an applicable federal bank regulatory agency" - could sit outside the broker rules, as long as it runs a compliance program. Just how far that carve-out reaches into insurance is the question compliance teams will be chewing on.
Consent gets tighter, too. A controller would have to make pulling consent "at least as easy" as giving it, then stop processing the data "not later than 15 days" after the request.
Timing matters. If it passes, the act would take effect immediately, though the registration-penalty section would sit dormant for 180 days. For now, the bill has only been introduced and sent to committee. It is not law yet, and the wording could shift as it moves.
