In today’s data-driven economy, data brokers play a crucial role in collecting, analyzing, and selling consumer information. However, this industry faces increasing scrutiny, including from the White House, the press, and various levels of regulation. As a privacy-focused law firm, we assist data brokers in navigating the complex legal landscape, ensuring compliance while achieving their business objectives.
Understanding Data Broker Regulations
Data brokers must comply with a growing patchwork of state and federal laws, including the following:
- California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the Delete Act: These laws require data brokers to register with the state via the California Privacy Protection Agency’s Data Broker Registry and provide consumers with rights to access, delete, and opt out of the sale of their personal information.
- Vermont, Oregon, Texas, and other state-specific data broker laws: Mandate annual registration for data brokers and impose security standards.
- Protecting Americans’ Data from Foreign Adversaries Act (PADFA): Prohibits data brokers from selling or transferring Americans’ sensitive data to certain foreign countries or entities controlled by them.
- State-specific and sector-specific regulations: Several states have enacted or are considering laws that impact data brokers, and there are also sector-specific laws, each with unique requirements.
- Federal Trade Commission (FTC) oversight: The FTC has broad authority to investigate and enforce against unfair or deceptive practices in data handling.
- GDPR and other international laws: Laws such as the General Data Protection Regulation (GDPR) in the European Union, along with other laws worldwide, have compliance and related considerations for data brokers.
Challenges Facing Data Brokers
Data brokers face several key challenges in this evolving regulatory environment:
- Compliance complexity: Navigating multiple, sometimes conflicting, and constantly evolving state and federal regulations.
- Data accuracy: Ensuring the accuracy of collected information to avoid potential liability.
- Consumer rights management: Implementing systems to honor data subject access requests (DSARs), among other types of consumer requests for access, deletion, and opt-outs.
- Security requirements: Maintaining robust cybersecurity and data security measures to protect sensitive information.
- Transparency: Meeting disclosure requirements about data collection and use practices.
- International data transfers: Complying with restrictions on cross-border data flows, particularly to countries deemed adversarial.
Data Broker Regulatory Enforcement
As regulators increasingly focus on data brokers, we are seeing enforcement actions brought, including the following:
- Texas Sues Allstate Over Its Collection of Driver Data: Among allegations relating to privacy disclosures and other matters, Texas alleged that Arity, an Allstate subsidiary, did not comply with Texas’s data broker law, which includes a registration requirement. The company collected data about people’s driving behavior through mobile phone apps, leading to increases in drivers’ insurance rates.
Our Unique Approach
As a business-focused privacy, marketing, and technology law firm, we offer data brokers a distinct advantage:
- Industry expertise: Our deep understanding of the data broker ecosystem allows us to provide tailored advice that aligns with your business model and goals.
- Technical acumen: We bridge the gap between legal requirements and technical implementation, ensuring practical compliance solutions.
- Risk mitigation strategies: We help you identify and address potential regulatory and litigation risks before they become issues.
- Compliance program design: We develop comprehensive compliance programs that integrate seamlessly with your operations, minimizing disruptions to your business.
- Contract negotiation: We assist in drafting and negotiating agreements, such as data processing agreements (DPAs), among others, with data sources and customers to ensure compliance and protect your interests.
- Regulatory advocacy: Via RICHTPOLICY, we can represent your interests before regulatory bodies and legislators, advocating for balanced approaches to data broker regulation.
- Consumer rights management: We help design and implement efficient systems for handling consumer requests and maintaining required documentation.
- Data governance: We assist in developing robust data governance frameworks, including data mapping, data breach response, and impact assessments, that ensure compliance while maximizing the value of your data assets.
- International compliance: We navigate the complexities of cross-border data transfers, including compliance with the Data Privacy Framework (DPF) and international privacy laws.
- Ongoing support: We provide continuous guidance as regulations evolve, helping you stay ahead of compliance requirements.
By partnering with RICHT, data brokers can confidently navigate the complex regulatory landscape while focusing on their core business objectives. We translate legal requirements into practical, business-friendly solutions that protect your interests and maintain compliance. Our unique combination of legal expertise, industry knowledge, and technical understanding positions us to provide robust legal counsel in this rapidly evolving field. We don’t just help you comply with the law; we help you leverage compliance as a competitive advantage in the marketplace.
Learn how we can help your data broker business thrive in a compliant manner.
Data Broker Legal Developments
- CalPrivacy Brings New Round of Enforcement Actions Against Data Brokers: The California Privacy Protection Agency (CPPA) has announced major enforcement actions under the Delete Act, including a $45,000 fine and a permanent ban on selling Californians’ data for Rickenbacher Data LLC (Datamasters) for failing to register as a data broker while selling sensitive health and demographic lists. Coinciding with the official launch of the Delete Request and Opt-out Platform (DROP), the agency also penalized S&P Global for registration errors and highlighted previous multi-million dollar settlements with major retailers, signaling a rigorous new era of enforcement aimed at protecting consumer privacy and ensuring data broker transparency. Read More →
- CalPrivacy’s DROP platform: A legal and engineering roadmap for DROP compliance: Transcend provides a critical guide for data brokers navigating California’s new Delete Request and Opt-Out Platform (DROP), which centralizes consumer deletion requests under the Delete Act. As of January 1, 2026, the platform allows residents to scrub their personal data from hundreds of registered brokers simultaneously, requiring businesses to implement robust technical integrations—including API connections and automated suppression mechanisms—to meet a mandatory August 1, 2026 compliance deadline or face significant daily penalties. Read More →
- New Tool Allows Californians to Request Data Brokers to Delete Personal Details: California has launched “The Drop,” a first-of-its-kind government platform that enables residents to send mass deletion requests to approximately 500 registered data brokers. Established under the 2023 Delete Act, the tool aims to simplify the process of reclaiming digital privacy by allowing users to opt out of the multibillion-dollar data trade in a single step, potentially reducing unwanted marketing and curbing invasive surveillance practices. Read More →
- CalPrivacy Fines Marketing Agency for Failing to Register as a Data Broker: The California Privacy Protection Agency (CalPrivacy) issued an enforcement action, resulting in a $56,600 fine against a fitness and wellness marketing agency for failing to register as a data broker under the California Delete Act. The agency, which uses first-party and third-party data with AI for targeted advertising, was found to meet the broad definition of a data broker but failed to register for 250 days. This fine is the eighth such penalty issued by CalPrivacy and follows the announcement of a new Data Broker Enforcement Strike Force, highlighting the increasing scrutiny and significantly higher future penalties for non-compliance starting in 2026. Read More →
- Analyzing the California Delete Act Regulations: The California Office of Administrative Law has approved regulations for the California Delete Act (SB 362), which takes effect on January 1, 2026. This law mandates the creation of a “Delete Request and Opt-out Platform” (DROP), a new one-stop-shop allowing California residents to request that all registered data brokers delete their personal information. Starting August 1, 2026, data brokers must access the DROP at least once every 45 days to process deletion requests, hash consumer identifiers, and delete all associated personal information, with non-compliance carrying a penalty of $200 for each deletion request for each day the failure continues. The regulations detail new requirements for data broker account security, processing steps, and rules for consumer residency verification. Read More →
- CalPrivacy Forms Enforcement Strike Force to Intensify Data Broker Oversight: The California Privacy Protection Agency (CalPrivacy) has created a dedicated Data Broker Enforcement Strike Force within its Enforcement Division to rigorously investigate privacy violations and compliance with the Delete Act registration requirements and the California Consumer Privacy Act (CCPA). This move builds on a sweeping 2024 review that resulted in a record number of enforcement actions. The Strike Force aims to bring the intensity of federal and state prosecutorial strike forces to the data broker industry, addressing the risks posed by large-scale data collection, potential misuse of personal information, and data breaches. The initiative also supports the rollout of the Delete Request and Opt-Out Platform (DROP), giving Californians a centralized tool to request data deletion from all registered brokers starting January 2026, while escalating regulatory enforcement efforts in this fast-evolving area of privacy law.
Read More → - California Privacy Staff Offers First Look at DROP System: California’s privacy enforcement team recently provided stakeholders an initial demonstration of the Data Request and Outreach Portal (DROP), a centralized digital platform designed to streamline consumer privacy requests under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). DROP aims to simplify how businesses receive, verify, and respond to data access, deletion, and opt-out requests, reducing friction for both consumers and companies. The system will enhance transparency, improve compliance efficiency, and support consumers’ rights to control their personal information. As DROP develops toward launch, businesses are encouraged to prepare for integration with this new tool to meet California’s evolving privacy obligations effectively.
Read More → - What Privacy Experts Think Companies Should Know About Data Brokers:
Engaging with data brokers can boost business intelligence, but significant legal, safety, and ethical risks follow. Privacy experts warn that working with brokers exposes companies and their customers to data breaches, regulatory scrutiny, and reputational harm—especially as new laws like California’s Delete Act heighten enforcement. Data brokers, described as the “Big Tobacco of privacy,” can facilitate risks to vulnerable groups (e.g., domestic violence survivors). To mitigate exposure, IT and risk leaders must treat data as a sensitive asset, vet broker partners rigorously, ensure clear opt-outs and transparency, and prepare for quickly evolving compliance frameworks. Ultimately, companies that view data solely as a commodity may face mounting costs, stricter rules, and impaired consumer trust.
Read More → - Europe’s Data Broker Problem and U.S. National Security Risks:
An investigation revealed that sensitive location data on thousands of smartphones, including government personnel and military sites in Ireland, was openly sold by data brokers. This exposes national security risks for both Europe and the U.S., as adversaries could exploit such data to profile and target officials and critical infrastructure. Europe’s data protection focus on consumer rights creates legal gaps around data brokers and their indirect sales, limiting effective regulation. Unlike the U.S., Europe has paid less attention to national security risks from data brokerage, despite clear threats from adversaries using front companies. The U.K. is pioneering regulatory efforts, but broader European action is needed to address this growing security vulnerability.
Read More → - California Amends Data Broker Law:
On October 8, 2025, California enacted SB 361, requiring registered data brokers to make more detailed annual disclosures to the California Privacy Protection Agency. Effective January 1, 2026, data brokers must now specify whether they collect a wide range of sensitive personal data—including identification numbers, account credentials, biometric data, and demographic details—and must disclose if they’ve sold or shared personal data with foreign actors, government entities, law enforcement, or generative AI developers. The new law builds on recent changes like the Delete Act and is poised to increase transparency and compliance obligations for businesses operating as data brokers in California.
Read More → - Data Brokers, Beware: Distinguishing PADFAA From the DOJ’s Data Security Program:
The Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), enacted in 2024, prohibits data brokers from selling, licensing, or transferring personally identifiable sensitive data of U.S. individuals to foreign adversaries like China, Russia, Iran, and North Korea. The Federal Trade Commission enforces PADFAA with civil and criminal penalties for violators. The Department of Justice’s Data Security Program (DSP), introduced through Executive Order 14117, expands on PADFAA’s scope with broader regulations on covered data transactions involving government-related or bulk U.S. sensitive data, introducing enhanced data security controls and compliance requirements. While PADFAA targets data brokers directly, DSP covers a wider range of data handlers and transfer types, including vendor and employment agreements. Entities handling sensitive data must understand differing obligations under both to avoid severe penalties amid growing federal data security restrictions. Read More → - Texas Expands Data Broker Law—New Requirements Effective September 1: Two major changes to Texas’s data broker registration law take effect September 1, 2025. SB 2121 broadens the definition of “data broker” by removing the requirement that data resale be a company’s main source of revenue. Now, any business handling personal data it didn’t collect directly from individuals—if it meets new revenue or personal data thresholds—falls under the law. SB 1343 updates notice rules: data brokers must provide consumers with a clear, prominent website link detailing how to exercise rights under the Texas Data Privacy and Security Act. Read More →
- Companies Make It Harder to Delete Your Data, Investigation Finds: A Markup and CalMatters investigation revealed dozens of registered data brokers in California are hiding their data deletion pages from Google and other search engines, making it far more difficult for consumers to exercise their legal right to delete personal information. Of nearly 500 broker websites reviewed, at least 35 used code to block search indexing, while others buried links in hard-to-find spots or linked to non-existent pages. A new statewide platform launching next year aims to simplify the process for Californians to delete their data from all registered brokers. Read More →
- Washington Data Broker Fined $55,400 for Failing to Register: The California Privacy Protection Agency (CPPA) ordered Bellevue-based data broker Accurate Append, Inc. to pay $55,400 for not registering and paying required fees under California’s Delete Act by the January 2024 deadline. The company only registered after CPPA’s enforcement inquiry. The fine includes injunctive terms and potential liability for legal fees in case of non-compliance. This enforcement follows a broader CPPA push targeting unregistered data brokers to enhance transparency and consumer privacy protections in California. Read More →
- UC Irvine Study Exposes Data Broker Failures Under CCPA: A UC Irvine investigation found that nearly half of state-registered data brokers ignored legal consumer privacy requests, violating California’s CCPA. The study, funded by the National Science Foundation, also revealed that many brokers required consumers to share even more sensitive information just to exercise their rights and that the process for submitting requests is often confusing and burdensome. Researchers warn the current system leaves Californians’ personal data vulnerable to misuse, and call for stronger enforcement and standards. Read More →
- Texas Legislature Amends Data Broker Law to Broaden Definition, Arguably Narrow Applicability Thresholds: In late June, Governor Abbott signed into law SB 2121 and SB 1343, two bills that amend the existing Texas Data Broker Act. The amendments broaden the definition of “data broker” and alter the applicability thresholds (SB 2121), and provide enhanced notice and registration statement requirements regarding how consumers can exercise their privacy rights (SB 1343). Read More
- CFPB to withdraw rule targeting data brokers: The Consumer Financial Protection Bureau is set to withdraw a Biden-era rule aimed at cracking down on data brokers and their selling of Americans’ personal and financial information. In a notice set to publish Thursday in the Federal Register, the CFPB said legislative rulemaking on the data broker industry “is not necessary or appropriate at this time,” and the agency does not plan to “take any further action” on the proposal. Read More →
- US Data Privacy Litigation: Data brokers and judicial privacy litigation: Daniel’s Law, enacted in New Jersey to protect public officials’ personal information, has led to a surge in data privacy litigation. The law, amended in 2023 to allow third-party claims, has resulted in numerous lawsuits against data brokers and other businesses. Read More →
- More Scrutiny of California Data Brokers: As with many other areas of privacy law, it is not surprising that California continues to lead the nation in regulating data brokers – from promulgating new regulations to issuing a cluster of recent settlements. Read More →
- California: CPPA brings enforcement action against Background Alert under Delete Act: The California Privacy Protection Agency (CPPA) took enforcement action against Background Alert, Inc. for not registering or paying the annual fee required by the DELETE Act, resulting in a settlement that mandates the company to cease operations until 2028 or incur a $50,000 fine. Read More →
- CPPA Brings Enforcement Action Against Florida Data Broker: The Enforcement Division of the California Privacy Protection Agency (CPPA) has brought an enforcement action seeking a $46,000 fine against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker, for failing to register and pay an annual fee as required by the Delete Act. The Enforcement Division has taken action against six data brokers since announcing an investigative sweep of data broker registration compliance, with the first five cases resulting in a settlement. Read More →
- Privacy of millions worldwide compromised as huge data location broker got hacked
- California Privacy Protection Agency Expands the Definition of “Data Broker”
- CFPB Issues Proposed Rule to Cover Data Brokers Under the Fair Credit Reporting Act
- CPPA Board Approves Data Broker Regulations
- CPPA Settles With Unregistered Data Brokers
- Texas’s Data Broker Law AG Sweep
- Data Broker Kochava and FTC To Potentially Settle Privacy Lawsuit
- What Happens to Your Sensitive Data When a Data Broker Goes Bankrupt?
- Closing the Data Broker Loophole
- How Ads on Your Phone Can Aid Government Surveillance