Data Broker Regulation in the United States

Data broker regulation in the United States governs commercial entities that collect, aggregate, and sell personal information about individuals who have no direct relationship with those entities. The regulatory landscape is fragmented across federal statutes, sector-specific rules, and a growing body of state laws — with no single comprehensive federal framework in force as of 2024. Professionals navigating this sector must contend with overlapping obligations tied to data type, intended use, and the jurisdiction in which affected consumers reside. The scope of this page covers the definitional boundaries, operational mechanics, scenario classifications, and compliance decision points relevant to data broker activity in the US.

Definition and scope

A data broker — also referred to in some statutory texts as an "information broker" or "consumer data reseller" — is a commercial entity that acquires personal data from sources other than the individuals themselves and monetizes that data through sale, licensing, or targeted-advertising products. Vermont's data broker registration law (9 V.S.A. § 2430), the first statute of its kind in the US, defines a data broker as "a business, or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal data of a consumer with whom the business does not have a direct relationship."

The scope of covered data is broad and includes identifiers such as name, address, date of birth, Social Security number, financial account data, location history, purchase records, and inferred characteristics such as political affiliation or creditworthiness. Regulated categories often intersect with the sensitive data categories treated differently under sector-specific statutes such as HIPAA, GLBA, and FCRA.

Three definitional sub-categories structure regulatory analysis:

1. Consumer reporting agencies (CRAs) — Data brokers whose products meet the statutory definition of a "consumer report" fall under the Fair Credit Reporting Act (FCRA), enforced by the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB). Permissible-purpose requirements and adverse-action notice obligations apply.
2. Non-FCRA data brokers — Entities selling data for marketing, fraud detection, or people-search purposes that fall outside FCRA's consumer-report definition. These face lighter federal oversight but increasing state-level requirements.
3. First-party data resellers — Entities that collected data directly but resell it in ways that recharacterize them as brokers under state definitions.

How it works

The data broker business model operates through a structured pipeline:

1. Data acquisition — Brokers source data from public records (court filings, property records, voter registrations), commercial data licenses, online tracking (cookies, device fingerprinting), loyalty programs, and data purchased from other brokers.
2. Aggregation and enrichment — Raw identifiers are linked across sources to build composite profiles. A single individual may appear across 400 or more distinct data points within a single broker's database, according to research cited by the FTC in its 2014 Data Broker Report.
3. Product packaging — Profiles are segmented into lists or scored outputs sold to credit issuers, employers, landlords, insurers, direct marketers, and investigative services.
4. Delivery and licensing — Data is delivered via API, batch file, or embedded scores. Downstream use is governed by contractual terms of service, not always enforceable regulatory conditions.

The FTC Act Section 5 prohibition on unfair or deceptive trade practices provides the primary federal enforcement hook where sector-specific statutes do not apply. The FTC's enforcement record against data brokers is documented in the FTC Data Security Enforcement reference.

Data minimization obligations — addressed in detail at Data Minimization Principles — apply differently depending on whether a broker's product qualifies as a consumer report, a financial product under GLBA, or a general commercial dataset.

Common scenarios

Four recurring fact patterns define the operational landscape for data broker compliance:

People-search platforms aggregate identity data and sell reports to individuals and businesses. These platforms sit in a regulatory gray zone: they do not clearly qualify as CRAs in all applications, yet their outputs affect access to housing and employment — uses that trigger FCRA liability when a covered entity relies on the report for an adverse decision.

Location data resellers acquire GPS and cell-signal data from mobile applications and resell it to advertisers, law enforcement contractors, or hedge funds. The FTC brought enforcement actions against Kochava and X-Mode Social (later Outlogic) between 2022 and 2023 under FTC Act Section 5 for selling location data that could expose visits to reproductive health clinics and religious institutions (FTC v. Kochava, D. Idaho, Case No. 2:22-cv-00349).

Credit header data resellers sell the non-report portions of credit bureau files — name, address, phone number, employment — arguing these fall outside FCRA. Courts and regulators have contested this boundary repeatedly.

State registration compliance applies specifically in Vermont, California (under the CCPA/CPRA framework), and Texas. California's Delete Act (SB 362, signed 2023) requires data brokers registered with the California Privacy Protection Agency to honor deletion requests submitted through a centralized mechanism (California Privacy Protection Agency, SB 362 resources).

Decision boundaries

Whether a specific entity qualifies as a regulated data broker — and under which regime — turns on four determinative factors:

• Consumer report qualification — Does the output constitute a "consumer report" under 15 U.S.C. § 1681a(d)? If yes, FCRA permissible-purpose requirements govern regardless of state law.
• State registration thresholds — Vermont requires registration if a broker collects data on more than 9 Vermont consumers (9 V.S.A. § 2446). California's threshold is any broker operating in California whose revenue derives from selling personal information.
• Sensitive data involvement — Biometric identifiers, health data, and precise geolocation data trigger enhanced obligations under state laws and intersect with Biometric Data Protection Laws and the HIPAA Data Protection Requirements framework where health-adjacent data is involved.
• Data subject rights obligations — Under CCPA/CPRA and similar state frameworks, brokers must support Data Subject Rights including access, correction, and deletion — distinct from FCRA's dispute-and-correction mechanism.

The contrast between FCRA-covered brokers and non-FCRA commercial data aggregators is the defining structural boundary in US data broker compliance. FCRA entities carry defined permissible-purpose restrictions, mandatory disclosure obligations, and civil liability exposure of up to $1,000 per willful violation per consumer (15 U.S.C. § 1681n); non-FCRA brokers face FTC Act Section 5 enforcement and, increasingly, state privacy enforcement actions through agencies such as the California Privacy Protection Agency and state attorneys general. The emerging federal privacy legislation landscape may eventually unify these standards, but no comprehensive federal data broker statute had been enacted as of the date of this publication.

References

• Federal Trade Commission — Fair Credit Reporting Act Text
• FTC 2014 Data Broker Report: A Call for Transparency and Accountability
• FTC Act, Section 5 — Federal Trade Commission Act
• FTC v. Kochava — Case Reference, D. Idaho
• Vermont Data Broker Registration Law, 9 V.S.A. § 2430
• Vermont Data Broker Registration Threshold, 9 V.S.A. § 2446
• California Privacy Protection Agency — SB 362 (Delete Act) Resources
• Consumer Financial Protection Bureau — FCRA Enforcement
• 15 U.S.C. § 1681n — Civil Liability for Willful Noncompliance