Data Broker Regulation in the United States

Data broker regulation in the United States covers the legal frameworks, enforcement mechanisms, and state-level statutes that govern companies collecting, aggregating, and reselling personal information about individuals without direct consumer relationships. The sector operates across a fragmented patchwork of federal agency oversight and state-specific registration and deletion rights regimes. Understanding the structural boundaries of this regulatory space is essential for compliance professionals, data protection researchers, and organizations that interact with licensed data protection services.

Definition and scope

A data broker — also called an information broker or data reseller — is an entity that collects personal information about consumers from public records, commercial sources, social media platforms, and third-party data feeds, then sells, licenses, or otherwise shares that information with clients who have no direct relationship with the individuals described. The Federal Trade Commission's 2014 report Data Brokers: A Call for Transparency and Accountability identified nine major data broker companies and described an industry that holds information on hundreds of millions of Americans, segmented into marketing, risk mitigation, and people-search product categories.

No single comprehensive federal data broker statute exists. Instead, regulation is distributed across sectoral laws:

1. Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 — Governs data brokers whose products are used for credit, employment, insurance, or housing decisions. Enforced by the Federal Trade Commission and the Consumer Financial Protection Bureau (CFPB).
2. Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 — Covers brokers handling nonpublic personal financial information when operating as or for financial institutions.
3. Health Insurance Portability and Accountability Act (HIPAA) — Applies when brokers handle protected health information, enforced by the HHS Office for Civil Rights.
4. Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 — Restricts data collection and resale involving children under 13.

At the state level, Vermont enacted the first dedicated data broker registration law in 2018 (9 V.S.A. § 2430), requiring brokers to register annually with the Vermont Attorney General and pay a $100 registration fee. California's Delete Act (SB 362, signed 2023) established the first state-operated data deletion mechanism, directing the California Privacy Protection Agency (CPPA) to build a single opt-out portal by 2026 (Cal. Civ. Code § 1798.99.80).

How it works

Data brokers operate through a multi-phase acquisition and distribution model:

1. Collection — Brokers ingest data from public records (court filings, property records, voter registrations), commercial transaction datasets, website tracking pixels, loyalty program aggregators, and licensed government databases.
2. Normalization and enrichment — Raw records are deduplicated, matched across sources using probabilistic identity resolution algorithms, and appended with derived attributes such as estimated income ranges or household composition.
3. Segmentation and product packaging — Enriched profiles are organized into product lines: marketing audience segments, background check products, fraud risk scores, and people-search consumer profiles.
4. Distribution — Products are licensed to advertisers, insurers, employers, landlords, financial institutions, law enforcement agencies, and direct consumers via subscription or transactional APIs.

The imposes different obligations at each phase depending on the end-use purpose. FCRA obligations, for example, attach when the downstream use triggers a "permissible purpose" determination, requiring brokers to implement adverse action notice procedures and dispute resolution mechanisms.

Under the CFPB's enforcement posture, data brokers that sell information feeding into credit-decisioning models may be reclassified as consumer reporting agencies under FCRA, subjecting them to accuracy, dispute, and security requirements regardless of self-designation. The CFPB issued a proposed rulemaking in 2024 that would formally extend FCRA coverage to a broader class of data broker products (CFPB Docket No. CFPB-2024-0008).

Common scenarios

Marketing and audience segmentation — Brokers sell behavioral and demographic profiles to advertisers. This activity falls outside FCRA when it is not used for credit, employment, or insurance, placing it primarily under FTC Act Section 5 unfair or deceptive practices jurisdiction and applicable state consumer privacy statutes such as the California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100).

People-search platforms — Platforms aggregating name, address history, relative associations, and phone numbers from public records occupy a contested regulatory boundary. Vermont's registration law and California's Delete Act both specifically capture this category. People-search brokers are distinguished from FCRA-covered consumer reporting agencies by the absence of a permissible-purpose sales model, though the FTC has challenged this self-classification in enforcement actions.

Risk mitigation and fraud scoring — Brokers supplying identity verification scores, fraud risk signals, or tenant screening reports to financial institutions or landlords are most likely to trigger FCRA obligations. The distinction between a "consumer report" and a "non-FCRA product" is a primary compliance decision point and enforcement target.

Government and law enforcement data sales — Brokers selling geolocation data, cell-site records, or financial transaction data to federal or state agencies without warrants have drawn FTC enforcement scrutiny. The FTC's 2023 actions against Kochava (FTC v. Kochava, D. Idaho, 2:22-cv-00349) addressed the sale of precise geolocation data linked to sensitive locations.

Decision boundaries

The central regulatory classification question for any data broker activity is whether the product constitutes a "consumer report" under FCRA. If yes, the full FCRA compliance architecture applies — permissible purpose, adverse action, accuracy, and dispute obligations. If no, the applicable framework shifts to FTC Act Section 5, CCPA/CPRA where California consumers are involved, and state registration requirements where the broker's business activities meet jurisdictional thresholds.

A second boundary separates brokers subject to GLBA from those outside financial services. Brokers that are not "financial institutions" under GLBA but that receive nonpublic financial data from GLBA-covered entities may still face contractual security obligations through data sharing agreements, even absent direct GLBA coverage.

State law divergence creates a third tier of complexity. Vermont requires registration by all data brokers operating in the state (Vermont Attorney General Data Broker Registry). California imposes deletion rights and opt-out obligations under the Delete Act. Texas, Oregon, and Montana enacted comprehensive consumer privacy laws by 2023 that include data broker-adjacent provisions but stop short of Vermont-style registration mandates. Compliance professionals using this provider network's full provider of data protection resources can identify jurisdiction-specific service providers structured around these distinct regulatory requirements.

The FCRA-vs.-non-FCRA boundary is not always self-evident from product design alone. The FTC's 2012 Protecting Consumer Privacy in an Era of Rapid Change report and its 2014 data broker report both describe enforcement criteria that emphasize functional use over nominal product labeling.