Quick view: Regulation of data brokers (USA)

Introduction

In the United States, data brokers are gaining expanding reach, collecting increasing amounts of personal data from Americans. There is no single source of laws that regulates data brokers. Laws and practices overseeing data brokers come from an array of sources, including state laws, oversight by federal and state agencies, and public input. Accordingly, determining which laws apply, and then applying them, is a case-by-case analysis that data brokers and organizations must each undertake in order to be legally compliant.

This Quick view provides guidance on the regulation of data brokers (for further information on the entities that might be defined as data brokers, see section 1.2.1 below), draws out particular considerations that data brokers will need to keep in mind in respect of registration, data security, and data breach requirements. It can be used by data brokers, as well as their legal counsel and Information Technology (IT) staff responsible for compliance with data broker incident response laws and regulations.

This Quick view addresses the following:

The regulation of data brokers
Particular considerations for data brokers

This Quick view can be read in conjunction with the following resources: How-to guide: How to develop, implement and maintain a US information and data security compliance program and How to implement privacy by design within your organization; and Checklists: Completing a data privacy risk assessment and Understanding privacy laws in the US.

1. The regulation of data brokers

1.1 Federal law

1.1.1 Protecting Americans’ Data from Foreign Adversaries Act of 2024

On April 24, 2024, President Biden signed into law HR 815, the Emergency Appropriations Act of 2024. This law includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA, Division H of HR 815). The law, which went into effect on June 23, 2024, imposes a significant restriction on foreign data sales by US companies. PADFA prohibits ‘data brokers’ from selling, licensing, or transferring for consideration an American’s ‘personally identifiable sensitive data’ to certain ‘foreign adversary’ countries (defined as China, North Korea, Russia, and Iran), or to any entity ‘controlled’ by those foreign adversary countries. An entity ‘controlled by’ a foreign adversary country is one with 20% or more ownership by an individual or business domiciled or with a principal place of business in a foreign adversary country. PADFA applies to a broad set of ‘sensitive data,’ including device geolocation data and certain information on ‘an individual’s online activities.’ PADFA will be enforced by the Federal Trade Commission (FTC), which will is authorized to seek civil penalties for violations.

1.1.2 Fair Credit Reporting Act

Federal agencies, such as the Consumer Financial Protection Bureau (CFPB), have launched inquiries into how companies track and collect information on an individual’s personal life. The CFPB was hoping to collect information regarding the practices of data brokers in 2023, with a view to expanding its rulemaking under the Fair Credit Reporting Act (FCRA).

The FCRA is one example of the evolving nature of the federal government’s attempt to regulate how and to what extent data brokers collect and use personal information. For instance, the FCRA offers a range of protections for consumers, including accuracy standards, dispute rights, and restrictions on how data can be used. The FCRA applies to credit reporting agencies, background screening firms, and data brokers who report to such agencies and firms.

1.1.3 Application of the Federal Trade Commission Act to data brokers

Although there is no specific language under federal law that specifically regulates domestic data brokers, as opposed to brokers who sell data to foreign nationals, the Federal Trade Commission Act (FTCA) regulates commerce and prevents organizations from using unfair and unlawful methods of competition. While the FTCA does not explicitly mention data brokers, it can be invoked to assess whether their practices involve unfair competition, such as deceptive practices or misrepresentation of data, or unlawful competition, such as monopolistic behavior or anticompetitive agreements.

Given the increased risk to consumers associated with this lack of regulation, increased legislation and enforcement against the improper use and sale of such data is expected. Indeed, in 2022 the Federal Trade Commission filed suit against Kochava Inc, a data broker that sold geolocation data that could be used to trace the movements of individuals to and from sensitive locations, such as reproductive health clinics, homeless shelters, and places of worship. In its suit, the FTC alleged that by selling data used to track people, Kochava was enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. This was, according to the FTC, in direct violation of section 5(a) of the FTCA. While the initial suit was dismissed, the FTC has since refiled and the case remains pending as of July 15, 2024.

Following the FTC suit against Kochava, the CFPB announced plans to draft new rules aimed at holding data brokers accountable under the FCRA, which would expand upon the current regulation under the FTCA. On December 3, 2024, the CFPB proposed a new rule aimed at regulating data brokers who sell the sensitive personal and financial information of Americans. This rule would have restricted the sale of personal identifiers, such as Social Security Numbers and phone numbers, and ensure that financial data, like income, is shared only for legitimate purposes, such as mortgage approvals, rather than being sold to scammers who prey on those in financial distress. The proposal clarifies that data brokers selling certain sensitive consumer information are considered ‘consumer reporting agencies’ under the FCRA, requiring them to adhere to accuracy standards, provide consumer access to information, and implement safeguards against misuse. ‘Data brokers profit by selling our sensitive personal data without our consent, enabling scamming, stalking, and spying,’ stated CFPB Director Rohit Chopra. This initiative is part of a broader government effort to protect sensitive personal data, complementing recent Executive Orders and actions by other federal agencies. In October 2024, the Department of Justice proposed measures to prevent the access of Americans' sensitive data by countries of concern, such as Russia, Iran, and China. Comments must be received on or before March 3, 2025.

The rule that was proposed December 3, 2024 on Protecting Americans From Harmful Data Brokering Practices (Regulation V) was subsequently revoked by the CFPB on May 15, 2025. The CFPB advised that it will issue a rule implementing the relevant definitions and rovisions of the FCRA only when and if the CFPB determines it necessary to do so.

1.1.4 Application of the Health Insurance Portability and Accountability Act (HIPAA) to data brokers

HIPAA protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This information is ‘protected health information,’ otherwise known as PHI.

Rules adopted under HIPAA apply to covered entities and business associates. Covered entities are defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information. A business associate is defined as an entity that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI; a person that offers a personal health record to one or more individuals on behalf of a covered entity; or a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.

In the context of data brokers, the direct application of HIPAA rules may vary. Data brokers that do not fall under the definition of covered entities may not be subject to HIPAA’s specific requirements. However, if a covered entity engages a data broker as a business associate to assist with healthcare activities and functions, a written business associate contract or another appropriate arrangement is required. This contract establishes the purpose and scope of the services provided by the data broker and mandates compliance with HIPAA rules to protect the privacy and security of PHI.

1.2 State law

1.2.1 Application of state laws to data brokers

State laws may impose specific obligations on data brokers (see further section 2 below).

Data privacy is currently an area of great legislative concern: according to the International Association of Privacy Professionals, as of May 2025, 20 states have enacted comprehensive consumer privacy legislation.

Four states - California, Oregon, Texas, and Vermont - have laws that require data brokers to register with the state. Some state laws may also require adoption of security protocols.

It is a reasonable assumption that other states will enact similar legislation, so that data broker regulation legislation will be introduced when sate legislatures reconvene for the 2025-26 legislative sessions.

When considering whether state laws might apply, it is important to acknowledge that specific jurisdictions within the United States may have their own unique definitions. It is crucial to determine whether relevant laws provide specific definitions of ‘data broker’ and understand the potential variations that exist. For example:

In California, under the California Consumer Privacy Act, a ‘data broker’ means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. This definition does not apply to:
- a consumer reporting agency to the extent that it is covered by the FCRA;
- a financial institution covered by the Gramm-Leach-Bliley Act and implementing regulations; and
- an entity covered by the California Insurance Information and Privacy Protection Act.
In Vermont, under the Vermont Data Broker Act, a ‘data broker’ is a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. ‘Brokered personal information’ includes names, addresses, date of birth, place of birth, mother’s maiden name, unique biometric data, name or address of a member of the consumer’s immediate family or household, Social Security number or other government-issued identification numbers, or other information that would allow a reasonable person to identify the consumer with reasonable certainty.
Texas law, which went into effect on September 1, 2023, defines a data broker as:
a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.

2. Particular considerations for data brokers

Data brokers have historically operated with little, if any, legal or regulatory oversight. In recent years, concerns about data privacy have led to more legislative interest in the collection, storage, use, and dissemination of data. This has led in turn to state laws requiring the registration or licensing of data brokers, as well as requirements that data brokers be covered by data privacy laws.

2.1 Registration requirements

Various states have imposed licensing or registration requirements on data brokers. As of December 2024, the states listed below are the only ones with data broker licensing or registration requirements.

2.1.1 California

In California, on or before January 31 following each year, a data broker must register with the California Attorney General. The data broker must pay a registration fee and provide the following information:

the name of the data broker and its primary physical, email, and internet website addresses;
any additional information or explanation the data broker chooses to provide concerning its data collection practices;
if a data broker fails to register, the data broker is subject to an injunction and is liable for civil penalties, fees, and costs in an action brought by the Attorney General.

A data broker who does not comply with a data subject’s request that their data not be sold may have their registration revoked. Dean v Kaiser Foundation Health Plan, Inc, No. 5:22-cv-00278 (CD Cal May 31, 2023).

2.1.2 Vermont

In Vermont, data brokers must register annually, on or before January 31 following a year in which a person or organization meets the definition of data broker (see above section 1.2.1). The data broker must provide information regarding whether the data broker implements a purchaser credentialing process; the number of data broker security breaches that the data broker has experienced during the prior year and, if known, the total number of consumers affected by the breaches.

2.1.3 Oregon

Legislation passed in 2023 in Oregon is similar to the Vermont law. Under the Oregon law, which became operative on January 1, 2024, data brokers must register annually with the Department of Consumer and Business Services. The law will require data broker registration to include information regarding a consumer’s right to opt out of having their data brokered.

The Oregon law states that the Department ‘may approve and renew a [data broker’s] registration . . . by means of an agreement with the Nationwide Multistate Licensing System.’ The Nationwide Multistate Licensing System is a means for licensing and registering mortgage and other financial professionals. As of December 2023, the System has no provision for the registration or licensing of data brokers.

2.1.4 Texas

A 2023 law passed in Texas also requires the registration of data brokers; however, the law is more limited in scope than the laws of the other three states. The Texas law requires the registration of data brokers on a registry maintained by the Texas Secretary of State. The registration requirements apply only to a data broker that, in a 12-month period, derives:

more than 50% of the revenue from processing or transferring personal data that the data broker did not collect directly from the individuals to whom the data pertains; or
revenue from processing or transferring the personal data of more than 50,000 individuals that the data broker did not collect directly from the individuals to whom the data pertains.

2.2 Data security requirements

State law may impose security requirements specific to data brokers. Texas has the most detailed requirements for security. Section 509.007 of the Business and Commerce Code requires data brokers to develop, implement, and maintain a comprehensive information security program that is written in one or more ‘readily accessible parts’ (a term not defined in the statute) and that contains administrative, technical, and physical safeguards that are appropriate for:

the data broker’s size, scope, and type of business;
the amount of resources available to the data broker;
the amount of data stored by the data broker; and
the need for security and confidentiality of personal data stored by the data broker.

The Texas requirements are directed toward prevention, rather than post-breach remediation. Nevertheless, even if a data brokerage is not subject to the requirements of the Texas law, the law may provide useful guidance for developing a program to prevent future breaches.

In California, a law that will become effective January 1, 2026 (the ‘Delete Act’), will require data brokers to delete the personal data of consumers who request deletion through the California Privacy Protection Agency. The consumer need make only one request through the Agency, and that request will oblige all registered data brokers in the state to delete the data.

2.3 Data breach notification requirements

Applicable federal and state laws may impose requirements on data brokers with regard to notification of data breaches.

The response to data broker security incidents depends on the type of information being used or collected and on the jurisdiction in which the broker is doing business. If the information involves a health-related matter, HIPAA rules may apply (see section 1.1.2 above for more details). For any other type of information, breach notification proceeds according to the relevant state law.

For further information on this topic, see How-to guides: How to determine and apply relevant US privacy laws to your organization; Incident response plan readiness and identification of a reportable data breach; and How to develop, implement and maintain a US information and data security compliance program; and Checklist: Completing a data incident response plan assessment; and Responding to a data breach.

2.3.1 Federal law

As noted above, if the information being used or collected by the data broker involves a health-related matter, HIPAA rules apply.

When a data broker, acting as a business associate, discovers a breach of unsecured PHI, they have an obligation to notify the covered entity, who then assumes the responsibility of notifying the Department of Health and Human Services (DHHS) Secretary.

The data broker’s role is to promptly inform the covered entity about the breach so that the covered entity can fulfill its notification obligations to the DHHS Secretary. A breach that affects 500 or more individuals must be brought to the attention of the DHHS Secretary without unreasonable delay. A breach that affects 500 or fewer individuals must be brought to the Secretary’s attention within 60 days of the end of the calendar year in which the breach was discovered.

2.3.2 State laws

All 50 states, the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have laws that mandate notification to consumers of breaches of the security of data. While these laws are similar, there are significant differences between them, particularly regarding the size of the breach that will trigger notification requirements. In addition, these laws will likely be read as requiring data brokers to make notification of data breaches. The South Carolina breach notification law, for example, imposes breach notification requirements on any person doing business in the state ‘owning or licensing computerized data or other data’ or ‘maintaining computerized data or other data.’

See Q&A: US Data Protection and Privacy (state-by-state).

In states other than California that require registration, data brokers have additional notification requirements in the event of a data breach. These requirements are in addition to the notification requirements applicable to any business.

The additional requirements for data brokers differ from state-to-state, but they have certain features in common. The additional notification is made to the state agency regulating data brokers, rather than to the subjects of the data themselves (who may not be aware that a broker holds their data). For instance, regulations adopted by the Oregon Department of Consumer and Business Services provide that a data broker must disclose to the Director of the Department any breach of security as required by existing data breach law within 45 days of a breach. In Vermont, however, data brokers must include as a part of their annual registration renewal information regarding the number of security breaches that the data broker has experienced during the prior year and, if known, the total number of consumers affected by the breaches. There is no contemporaneous notification requirement. Similarly, Texas requires data brokers to disclose ‘the number of security breaches the data broker has experienced during the year immediately preceding the year in which the registration is filed, and if known, the total number of consumers affected by each breach’ as a part of an application for renewal of registration.

2.3.3 Remedial steps in the event of a data breach

The US data brokerage landscape is in a state of evolution where change is constant. For this reason, it is essential for organizations to undertake regular reviews and revisions of their information and privacy programs in response to data brokers’ information collection efforts.

Data brokers may face challenges in remediating data security incidents and complying with statutory requirements. Difficulties include identifying the breach scope, timely detection and notification, coordinating with multiple stakeholders, managing reputational impact, and adapting to evolving regulations. Overcoming these challenges requires proactive data security measures, effective communication, and a commitment to ongoing compliance.

The FTC has provided guidance for businesses responding to a data breach. This guidance is not binding on data brokers, but provides a set of best practices for a business responding to a data breach as follows:

secure operations – move quickly to secure systems and fix vulnerabilities that may have caused the breach, stop additional data loss, and remove improperly posted information from the web;
fix vulnerabilities; and
notify the appropriate parties.

Additional resources

Dell Cameron – Wired.com, ‘How the US Can Stop Data Brokers’ Worst Practices—Right Now’
Theodore Rostow – Yale Journal on Regulation, ‘What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers’
Justin Sherman – Duke University Sanford Cyber Policy Program, ‘Data Brokers and Sensitive Data on US Individuals’