Data Brokers’ Non-Compliance with State Consumer Protection Agency Registration Requirements

Hundreds of data brokers remain unregistered with state consumer protection agencies, as highlighted by recent findings from privacy advocacy groups.

Data brokers, in various forms, aggregate personally identifiable information (PII) from an array of sources, including publicly accessible data and information acquired through cybercriminal activities. This data is subsequently sold for purposes such as background checks and marketing.

A significant concern associated with data brokers is their intra-industry data trading practices. By sharing and trading this information, brokers not only expand the volume of data collected but also acquire data that may not pertain to their specific focus areas.

Public scrutiny of data brokers has intensified following notable security breaches, including the National Public Data (NPD) leak, which garnered international media coverage due to its scale, affecting hundreds of millions and compromising Social Security Numbers.

In response to growing privacy concerns, several states have established regulations governing private data usage, with specific laws targeting data brokers under development. States like California, Texas, Oregon, and Vermont have enacted data broker registration laws mandating that brokers disclose their identities to state authorities and the public. Additionally, while New Jersey, Delaware, Michigan, and Alaska have proposed similar legislation, these bills have yet to become law.

Analysis indicates that data brokers often fail to register in multiple states. For example, as of early April 2025, 291 companies did not register in California, 524 in Texas, 475 in Oregon, and 309 in Vermont, excluding those brokers that did not register anywhere.

Several factors contribute to this situation:

• Many data brokers, despite operating across state lines, may not fully understand the regulations in each state.
• The absence of a federal standard complicates compliance, as brokers must navigate four distinct state laws with differing definitions, fees, deadlines, and security requirements.
• Some brokers may deliberately choose to bypass registration to minimize costs, particularly when state enforcement is perceived as lacking and registration fees, such as California’s $6,600, are high.

When weighing registration costs against potential compliance expenses, brokers may assess these factors and decide against registration.

| State | Register | Fee | Security Obligations | Enforcement |
|————|————————|——-|————————————————|—————————-|
| California | CPPA | $6,600| Yes (deletion metrics, audits, security) | $200 per day + investigation costs |
| Texas | Secretary of State | $300 | Yes (WISP) | $100 per day ($10k cap) |
| Oregon | DCBS | $600 | Likely minimum standards | $500 per day ($10k cap) |
| Vermont | Sec. of State | $100 | Yes (minimum standards) | $50 per day ($10k cap) |

It is crucial to note that this analysis does not assert that any identified data brokers are in violation of laws. The definition of ‘data broker’ varies across jurisdictions, which may lead to different registration requirements in various states.

In conclusion, consumer protection is paramount, and federal regulation of data brokers could represent a crucial advancement in safeguarding personal data. Recent legislative efforts, such as a proposed bill aimed at prohibiting the sale or transfer of health and location data by brokers, underscore the urgency of establishing protective measures. However, progress has stalled, and continued advocacy will be necessary to ensure meaningful change.