Data broker registration laws exist to bring this industry into public view, require transparency about who is collecting and selling personal data, and give consumers meaningful tools to exercise their rights against entities they have no direct relationship with.

For companies that collect and monetize third-party personal data, these laws create concrete compliance obligations: registration with state agencies, payment of annual fees, disclosure of data practices, and — in California — mandatory technical integration with a state-run deletion platform. Getting that registration wrong, or not registering at all, creates direct financial exposure. Getting the initial question wrong — whether you qualify as a data broker at all — creates the same exposure with the added complication that you may not even know you're at risk.

This guide covers what data brokers are, which states have registration requirements, what the process involves, and what compliance looks like in 2026.

What Is a Data Broker?

The common thread across all four U.S. state definitions is the indirect data relationship. A data broker is a business that collects and sells, licenses, or transfers personal information about individuals with whom it has no direct relationship. The data was not obtained from the consumer directly — it was acquired from third-party sources, assembled from public records, inferred from observed behaviour, or purchased from other data companies. The consumer never agreed to share their data with the broker, and in most cases has no awareness that the broker holds it.

The specific definitions vary in important ways. California's Delete Act covers businesses that "knowingly collect and sell" personal information about consumers with no direct relationship. Oregon and Vermont both capture businesses that collect and "sell or license" personal data to third parties. Texas takes a revenue-based approach: a data broker is a business entity whose "principal source of revenue" is derived from collecting, processing, or transferring personal data not collected directly from the individual — which means a company where more than half of revenue comes from data sales.

Typical examples include people-search platforms that aggregate public records into searchable consumer profiles; marketing intelligence companies that build audience segments for advertising targeting; identity resolution companies that link digital identifiers to real-world individuals; location data aggregators that purchase and resell device movement data; and consumer intelligence platforms that sell propensity scores, demographic profiles, or intent signals to brands and lenders.

The qualification question is less obvious than it appears. Companies that consider themselves analytics providers or lead generation platforms may fall within the data broker definition depending on how their data was sourced and how it is transferred downstream. California's clarification in its 2025 DROP regulations is instructive: merely collecting data directly from a consumer does not establish a "direct relationship" sufficient to exclude a business from the data broker definition — the consumer must both intend and expect to interact with the business. Marketing vendors, loyalty programme operators, and sweepstakes sponsors that collect data indirectly from a brand's customers may find themselves classified as data brokers even where neither party anticipated that result.

Why Data Broker Registration Exists

The core regulatory problem is the absence of accountability in secondary data markets. Most consumer data privacy laws apply to businesses with a direct consumer relationship — the retailer, the app developer, the healthcare provider. They impose disclosure obligations, consent requirements, and data subject rights because consumers can reasonably be expected to know they are dealing with those entities. Data brokers operate entirely outside this relationship. A consumer cannot exercise rights they do not know exist against a company they do not know holds their data. They cannot opt out if they cannot find who to opt out with. And they have no way to assess the accuracy of profiles built about them.

Data broker registration laws address this structural gap by creating public registries of known actors in the secondary data market, requiring annual disclosure of data categories collected and consumer rights mechanisms, and — in California — constructing a centralised opt-out and deletion infrastructure that makes consumer rights exercisable without requiring the consumer to identify each broker individually. The disclosure obligations also serve a broader surveillance function: regulators and researchers can examine registry data to understand the scope of commercial data collection, flag high-risk data types, and identify companies whose practices warrant closer scrutiny.

Which Companies Must Register

Most compliance questions reduce to two issues: does the business collect personal data about people it doesn't have a direct relationship with, and does it sell, license, transfer, or derive principal revenue from that data?

Marketing data platforms that build audience segments from third-party sources and license them to advertisers are the paradigm case. So are people-search websites that aggregate public records — court filings, property records, voter registration data — into consumer profiles available for a fee. Location data companies that purchase device movement data from mobile apps and resell it to retailers, real estate firms, or law enforcement agencies are explicitly within scope. Identity resolution companies that match digital identifiers to real-world individuals and sell those matches to brand marketers or financial services firms fall within every state's definition.

Several exclusions apply consistently across states. Credit reporting agencies regulated under the federal Fair Credit Reporting Act are generally exempt, as are financial institutions covered by the Gramm-Leach-Bliley Act, healthcare entities covered by HIPAA, government agencies, and nonprofits. These exemptions reflect the existence of separate regulatory frameworks for those industries rather than a policy judgement that those entities' data practices are low-risk.

The harder questions involve SaaS companies, analytics providers, and businesses that share data in ways that may not look like "selling." If a SaaS company aggregates data from multiple enterprise clients, builds aggregate insights, and monetises those insights through product features, it may or may not qualify depending on how the data flows. If a retail loyalty programme sells customer data to a marketing cooperative, the cooperative is clearly a broker; whether the retailer is depends on the state definition and the nature of its direct customer relationships. Any company uncertain about its qualification should conduct a formal legal assessment — and document the reasoning, because undocumented conclusions do not protect against enforcement.

U.S. States With Data Broker Registration Laws

Four states have enacted data broker registration laws: California, Vermont, Texas, and Oregon. Several others — including New Jersey, Delaware, Michigan, and Alaska — are developing frameworks, but as of 2026, registration is currently mandatory only in these four jurisdictions.

California

California has the most comprehensive and actively enforced data broker regime in the country. The foundation is the California Delete Act (SB 362, signed October 2023), which requires data brokers to register annually with CalPrivacy (the California Privacy Protection Agency) by January 31 of each year. The 2026 annual registration fee is $6,000 plus a third-party payment processing fee.

California's 2025 expansion, Senate Bill 361 (the Defending Californians' Act), significantly broadened disclosure obligations effective January 2026. Data brokers must now disclose not only the categories of personal data they collect but whether that data includes particularly sensitive types — citizenship and immigration status, union membership, sexual orientation and gender identity, government-issued identification numbers, account login credentials, biometric data, and mobile advertising identifiers. They must also disclose whether they have shared or sold personal data to foreign actors, federal or state government entities, law enforcement agencies, or generative AI developers. SB 361 also doubled the daily penalty for non-registration from $100 to $200 per day.

The most operationally significant requirement is California's Delete Request and Opt-Out Platform (DROP). DROP became available to consumers on January 1, 2026, allowing California residents to submit a single deletion request to all registered data brokers simultaneously. Beginning August 1, 2026, registered data brokers must access DROP at least every 45 days, process consumer deletion requests within 90 days of retrieval, and implement a perpetual deletion cycle for consumers who have opted into ongoing deletion — meaning any new personal data collected about those consumers must be deleted on each subsequent 45-day sweep. Failure to process deletion requests carries a penalty of $200 per request per day, creating cumulative exposure that can compound rapidly for high-volume brokers. CalPrivacy has already demonstrated willingness to enforce: in January 2026, two data providers were fined $42,000 and $34,400 respectively for failure to register.

Starting January 1, 2028, California data brokers must undergo independent privacy audits every three years, with results submitted to CalPrivacy.

Vermont

Vermont's Data Broker Law, enacted in 2018, was the first of its kind in the United States. It covers businesses that knowingly collect and sell or license the brokered personal information of at least 19,000 Vermont residents annually. Registration must be completed annually with the Vermont Secretary of State by January 31, at a fee of $100.

Vermont's law requires data brokers to implement minimum information security standards — administrative, technical, and physical safeguards — proportionate to the nature and sensitivity of personal data held. A security breach involving personal data collected by a Vermont-registered data broker may constitute an unfair or deceptive practice under the state's Consumer Protection Act, creating additional liability beyond the registration penalties. The penalty for failing to register is $50 per day, up to $10,000 per year.

Texas

Texas enacted its data broker registration law in 2023, effective September 2023 with first registrations due March 2024. The Texas definition differs from other states: it captures businesses whose "principal source of revenue" comes from collecting, processing, or transferring personal data not collected directly from the individual, rather than any business that collects and sells such data. This revenue-based threshold means businesses that incidentally sell data alongside a primary business model may not qualify, while dedicated data brokers plainly do.

Texas registration is handled through the Secretary of State's office. The annual fee is $300. Unlike California and Vermont, Texas does not require registration by a fixed calendar date — brokers must register before operating in the state and renew annually on the anniversary of their initial registration.

Texas requires registered data brokers to maintain a comprehensive written information security program (WISP) with administrative, technical, and physical safeguards. The WISP must designate employees responsible for the programme, assess risks to personal data, include employee training, address third-party service provider oversight, and implement access controls and monitoring for unauthorised access. This security programme obligation applies to all personal data — broader than Vermont's narrower "personally identifiable information" scope. Penalty for non-compliance is $100 per day up to $10,000 in a 12-month period. Violations of data protection obligations constitute actionable deceptive trade practices under state law.

Oregon

Oregon enacted its data broker law in 2023 with a definition that aligns closely with Vermont and California: a business that "collects and sells or licenses brokered personal data" to another person. Oregon registration does not have a fixed annual deadline in the same way as California and Vermont — brokers must register before conducting business in the state, with registrations valid until December 31 of the year of approval and renewals due in December. Oregon's 2026 amendments to its broader privacy law added restrictions on selling data of consumers under 16 and on selling precise geolocation data within a 1,750-foot radius, reinforcing the compliance context for data brokers operating in the state. Penalty for failing to register in Oregon is $500 per day, up to $10,000 per year — the highest daily rate of any of the four states.

The Data Broker Registration Process

Compliance begins with a qualification assessment: does your business meet the relevant state definition of a data broker? This requires mapping data flows — specifically, how personal data enters your systems (directly from consumers, or from third-party sources), and how it leaves (sold, licensed, transferred, or used to generate revenue). For each state where you may qualify, the direct relationship question must be answered carefully in light of that state's specific definition.

Once qualification is established, the registration process for each applicable state requires creating an account with the relevant agency (CalPrivacy for California, Secretary of State for Vermont and Texas, Department of Justice or Secretary of State for Oregon), completing the registration form with company details and data practice disclosures, paying the applicable fee, and receiving confirmation. California's process now runs through DROP, where brokers must maintain an active account, complete the registration form in stages, and report annual metrics including consumer rights request volumes and response times from the prior year.

The information required at registration consistently includes company name, address, and contact details; a description of the categories of personal data collected; whether consumers may opt out of data collection and how; whether the broker collects data about children; and, in California, the expanded SB 361 disclosures covering sensitive data types and sharing relationships with government, foreign, and AI developer recipients. Texas additionally requires a description of the categories of data the broker processes and transfers, and a statement on compliance with federal and state laws regarding children's data.

After registration, brokers must complete annual renewals by the applicable deadline — January 31 for California and Vermont, on the registration anniversary for Texas, and December 31 for Oregon. California also requires brokers to report prior-year consumer rights request metrics at each annual renewal, making the renewal a compliance reporting exercise as well as a registration maintenance exercise.

Penalties for Non-Registration

The combined penalty exposure across all four states for a business that fails to register — and California plans to enforce up to five years of retroactive non-compliance — can reach significant sums. California alone carries $200 per day plus investigative costs. Oregon carries $500 per day up to $10,000 annually. Vermont carries $50 per day up to $10,000 annually. Texas carries $100 per day up to $10,000 annually. For California, where there is no statutory annual cap equivalent to the other states, extended non-registration periods create compounding exposure that enforcement actions have already illustrated: the January 2026 enforcement actions resulted in $42,000 and $34,400 fines for single companies. Beginning August 2026, California's DROP non-compliance penalties run independently and per-request, which means a data broker that has registered but fails to process deletion requests can face separate and potentially larger exposure than a broker that failed to register.

Beyond the direct financial penalties, enforcement actions create regulatory attention that rarely ends with a single fine. A company that has failed to register is also likely deficient in other data governance areas — missing data inventory, inadequate consumer rights processes, absent security documentation — that become additional enforcement targets once a regulator opens an investigation.

Transparency and Consumer Rights Obligations

Registration is not the totality of compliance. All four state laws impose ongoing obligations. Data brokers must maintain and publish disclosures about data practices accessible to consumers, including the categories of data collected and how consumers can exercise their rights. California and Texas additionally require website-level disclosures identifying the company as a data broker. Texas requires a clear identifying statement; California's CCPA and CPRA framework requires comprehensive privacy notices, consumer rights mechanisms, and opt-out links.

Consumer rights mechanisms for data brokers vary by state. California's DROP creates an opt-out and deletion mechanism that registered brokers must honour on a 45-day cycle. Vermont requires that brokers disclose whether consumers may opt out and how to do so. Texas requires the same disclosure without mandating a specific mechanism. For California-registered brokers processing personal data that originates in or relates to consumers covered by other state privacy laws, consumer rights request handling processes — access, deletion, correction, portability — may also apply under those states' comprehensive privacy laws.

The overlap between data broker obligations and GDPR deserves specific attention for organisations operating internationally. GDPR does not create a data broker registration requirement as a distinct category, but the regulation's requirements for lawful basis, transparency, data subject rights, and accountability apply fully to organisations that process personal data as brokers without a direct data subject relationship. The legitimate interests basis — the most commonly invoked basis by organisations without consent from data subjects — requires a documented balancing test and data subjects must be informed of the processing at the time their data is obtained or as soon as practicable. Practically, this means European-facing data operations require parallel legal infrastructure: privacy notices, data subject access mechanisms, and records of processing activities, even where no separate registration requirement exists.

States on the Horizon

The regulatory expansion beyond the current four-state framework is moving deliberately. New Jersey, Delaware, Michigan, and Alaska have active or advanced legislative development on data broker registration. The pressure from the federal level is limited — no comprehensive federal data broker law has advanced in the current Congress — but state-by-state expansion continues. For companies that are not yet registered in the four existing states but expect to qualify, the registration question is urgent. For companies already registered, monitoring legislative development in expansion states and building registration into the ongoing compliance calendar is the appropriate posture.

A robust privacy governance framework tracks applicable registration requirements across jurisdictions, maintains current data inventory documentation sufficient to support registration disclosures, manages annual renewal deadlines, and ensures consumer rights mechanisms — particularly deletion and opt-out — are operationally integrated rather than handled ad hoc. As California's DROP demonstrates, the direction of travel is toward automated, infrastructure-level consumer rights mechanisms rather than manual request handling. Companies building manual processes to meet current requirements are building processes that will require replacement within a compliance cycle or two.

FAQ

What is a data broker? A data broker is a business that collects and sells, licenses, or transfers personal information about consumers with whom it has no direct relationship. The data is sourced from third parties, public records, or observed behavior rather than obtained directly from the individual.

Which states require data broker registration? As of 2026, four states require registration: California (by January 31 annually, $6,000 fee), Vermont (by January 31 annually, $100 fee), Texas (before commencing operations, $300 fee), and Oregon (before commencing operations, annual renewal by December 31).

Do SaaS companies qualify as data brokers? It depends on the data flow. If a SaaS company's primary business involves collecting personal data that was not provided directly by the data subjects and monetizing or transferring that data, it may qualify. The California clarification that a "direct relationship" requires consumer intent and expectation — not merely data collection — means some SaaS and marketing technology companies previously outside the definition may now fall within it.

How much does registration cost? Across all four states, combined annual registration fees total approximately $6,400–$6,700 depending on Oregon's specific fees. California's $6,000 fee dominates the total and is the most actively enforced.

What happens if a company fails to register? Penalties accrue daily from the point of non-compliance. California charges $200 per day plus investigative costs, with enforcement potentially backdated up to five years. Oregon charges $500 per day up to $10,000 annually. Vermont and Texas charge $50 and $100 per day respectively, each capped at $10,000 annually.

Is data broker registration required under GDPR? No. GDPR does not establish a data broker registry. However, organizations processing personal data without a direct data subject relationship must have a valid lawful basis for that processing, provide transparency through appropriate notices, and honor data subject rights — obligations that in practice require governance infrastructure comparable to what registration laws demand.

Compliance Requires More Than Registration

Data broker registration is the visible compliance requirement — the annual deadline, the fee, the form. But it sits on top of a data governance infrastructure that most companies at risk of qualifying have not fully built: a current inventory of what personal data is held and where it was sourced, consumer rights mechanisms that can actually respond to deletion requests at scale (and from August 2026, integrate with California's DROP), security programmes meeting Vermont and Texas requirements, and accurate disclosures reflecting what data categories are actually collected.

The companies that face the most significant enforcement risk are not those that registered late. They are the ones that never assessed whether they qualified, and are now accumulating daily penalties without knowing it.

Secure Privacy helps organizations navigate data broker compliance, consumer rights workflows, and privacy governance obligations across U.S. and global frameworks.