The rise of data broker registries marks a significant shift in how consumer data is tracked, shared, and regulated. The United States is the only country to have legally ratified four data broker registries - in California, Oregon, Vermont, and Texas - with another four in development, in New Jersey, Delaware, Michigan, and Alaska.
These efforts aim to increase transparency in the data market and give individuals more control over their personal information. While data brokers operate largely behind the scenes, their influence on digital privacy is substantial. In this article, we explore what data brokers do, how they differ from data providers, and why the US stands alone in implementing these registries.
This article was written with contribution from Kezia Vilawa, Privacy, Security and Compliance Manager at Monda and former Data Protection Consultant at TechGDPR.
A data broker is a company that collects, aggregates, and sells consumer data, often without direct interaction with the individuals whose data they handle. These companies source information from public records, online activity, purchasing behavior, and other third-party sources. Data brokers then package this data for sale to advertisers, businesses, and even government agencies for purposes ranging from targeted marketing to fraud prevention.
The difference between a data provider and a data broker comes down to the category of data that each party deals with. A ‘data provider’ is a company which provides any kind of data. It’s a more general term. In contrast, a ‘data broker’ is a kind of data provider that deals specifically with personal data (the term used in EU law) or personally identifiable information (or ‘PII’, the term used in US law). The term ‘data broker’ is used much more often in legal contexts, which are concerned with protecting consumer privacy and enforcing the regulated handling of personal data.
A data broker registry is a government-mandated list requiring data brokers to register their business operations, disclose their data practices, and, in some cases, provide opt-out mechanisms for consumers. These registries aim to improve transparency and give individuals more control over how their personal data is collected and shared. States like California and Vermont have already implemented such registries, setting the foundation for broader regulatory frameworks.
Data broker registries are crucial for increasing transparency in the largely unregulated data brokerage industry. They help consumers understand who is collecting their data, how it is being used, and what options they have for opting out. Additionally, these registries provide policymakers with insights into the scope and scale of data brokerage activities, potentially leading to stronger privacy protections and regulatory actions in the future.
The US has led the way in establishing data broker registries due to its fragmented approach to data privacy regulation, where states often take the initiative in passing consumer protection laws. Unlike the European Union, which enforces broad privacy protections under the General Data Protection Regulation (GDPR), the US relies on state-level and sector-specific laws, creating a patchwork of regulations. This decentralized approach has allowed states like Vermont, California, and others to pioneer data broker registries independently.
However, as concerns over data privacy grow globally, other countries and jurisdictions may eventually adopt similar measures. Indeed, with no such data broker registry for the European Union, EU data privacy enforcement could struggle to regulate the market when there is no central record for data brokers operating in its jurisdiction.
These four states have brought data broker registries into law.
Authority: CPPA (California Privacy Protection Agency)
Law: Delete Act (and associated Regulations)
Requirement: Data broker annual registration in the Data Broker Registry
Registration fee: 400$ (other administrative fees apply)
Registration deadline: 31st January of every year
Relevant date for data brokers: The Delete Request and Opt-out Platform (DROP) will be made available for broker installation by 1 Jan. 2026.
Relevant date for consumers (individuals): Starting 1 Aug. 2026, individuals can request deletion of their data and brokers are required to honour opt-out requests from and begin their 45-day deletion sweeps.
Fine: $200 for every day of non-compliance
Enforcement: Growbots and UpLead were fined $35,400 and $34,400 respectively, for registration non-compliance.
See more on the State of California’s Department of Justice website.
Authority: Vermont Secretary of State
Law: Vermont’s Act 171 of 2018 Data Broker Regulation
Requirement: Data broker annual registration with the Vermont Secretary of State + A requirement that Data brokers maintain certain minimum data security standards + A prohibition on fraudulently acquiring certain types of data, or using such data to commit bad acts.
Filing fee: 100$
Registration deadline: 31st January of every year
Fine: $50 for each day of failing to register, and up to a maximum of $10,000 per year + the filing fee of $100.
See more on the Office of Vermont Attorney General’s website.
Authority: Division of Financial Regulation
Law: House Bill 2052
Requirement: Data broker annual registration with the Oregon Division of Financial Regulation
Registration fee: $600
Registration deadline: Annually, with registration certificates expiring at the end of the calendar year
Relevant date for data brokers: Effective January 1, 2024
Relevant date for consumers (individuals): Not specified
Fine: Civil penalty of up to $500 with total penalties capped at $10,000 annually
Enforcement: Oregon Division of Financial Regulation may enforce the law and impose penalties
See more on the Division of Financial Regulation for the State of Oregon’s website.
Authority: Texas Secretary of State
Law: Texas Data Broker Act
Requirement: Data broker annual registration with the Texas Secretary of State
Registration fee: $300
Registration deadline: Annually, with registration certificates expiring one year from the date of issuance
Relevant date for data brokers: Effective September 1, 2023
Relevant date for consumers (individuals): Not specified
Fine: Civil penalty up to $10,000 in a 12-month period
Enforcement: Texas Attorney General can seek civil penalty and enforce the Act
See more on the Texas Secretary of State website.
These four states have passed Bills requiring data broker registration but they have not yet been made law. We’ll keep this guide updated with details if and when these states bring data broker registries into law, and we will add more states considering data broker registries as they emerge.
Authority: The proposed bill designates the relevant state authority to oversee data broker registration.
See more on the DataGuidance website.
Authority: The Delaware Department of Justice is responsible for creating and maintaining the data broker registry.
See more on the Delaware Business Times website.
Authority: The Michigan Attorney General's office is authorized to enforce data protection regulations.
See more on the Michigan Senate Democrats website.
Authority: The Alaska Department of Commerce, Community, and Economic Development is tasked with establishing and maintaining a data broker registry.
See more on the Alaska State Legislature website.
Please note that the information provided in this blog article is based on available sources as of February 12, 2025. For the most current details, it is advisable to consult the official state legislative websites or contact the relevant state authorities directly.
150+ data companies use Monda's all-in-one data monetization platform to build a safe, growing, and successful data business.
Explore all featuresMonda makes it easy to create data products, publish a data storefront, integrate with data marketplaces, and manage data demand - data monetization made simple.
Sign up to our newsletter for unique thought leadership and to be the first to know about every product update and event.
