close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

The 2026 Field Guide to Data Broker Compliance in California, Connecticut, New Jersey and Beyond

Ian Phippen - July 13, 2026

Since the California Consumer Privacy Act (CCPA) passed in 2018, 19 other states have passed their own comprehensive state privacy laws. California’s new Delete Act, requiring advanced privacy compliance measures from data brokers, is already on track for a similar course. The Delete Act hasn’t been in effect for a full year, and Connecticut and New Jersey have already followed suit, passing two of the strictest data broker laws on record. 

For data brokers, this means complying not only with comprehensive state privacy laws, but also broker-specific regulation. Each law draws the line in a different place. If your business sells personal data, licenses it, or shares it with a partner for value, the definition of “data broker” may already apply to you, whether you think of yourself as one or not.

Below is a practical comparison of how states define data brokers and what compliance actually requires. 

Why data broker regulation is accelerating

Six states* now maintain broker registries: Vermont, California, Texas, Oregon, and—as of 2026, —Connecticut and New Jersey. While data brokers were traditionally defined as companies strictly in the business of selling consumer data, newer laws have expanded this definition considerably. Depending on the state, a company that makes only a small share of its revenue from data, or one that never exchanges data for money at all, can still land on a broker registry.

The center of gravity has also shifted from simple registration toward active consumer control: deletion, opt-outs, and outright bans on selling certain data types. Most consumers have no relationship with the companies that hold and sell their information, so traditional privacy laws built around individual data subject requests haven’t met their needs. The newest laws aim to fix that by routing rights through the state itself.

How each state defines a “data broker”

The definition is the first thing to check, because it determines whether a law applies to you at all.

State Key laws Data broker definition “Sale” is strictly monetary Exempted organizations
CA Delete Act, Cal. Civ. Code § 1798.99.80(d) (2019, amended 2023) “Business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship No. “Selling” data can include renting, releasing, disclosing, disseminating, making available, or transferring data for either monetary or “valuable consideration.”  Excludes businesses covered by FCRA, GLBA, or HIPAA. 

Excludes businesses 1) with annual gross revenue under $25M, 2) buying, selling or sharing PII of fewer than 100k consumers, devices, or households, and derives less than 50% of annual revenue from selling or sharing personal information. 

CT Public Act No. 26-64 (SB 4) (2026) “Any business, or any portion of a business, that sells or licenses brokered personal data to another person” No, but narrower than CA. “Selling” data is a monetary exchange or exchange for “valuable consideration where the controller receives a material benefit and the third party isn’t restricted in its subsequent use of the data.” Excludes businesses covered by FCRA, GLBA, DPPA, or HIPAA. 

No volume or revenue-based exemptions for any business selling personal data.

NJ A5328 (amending P.L. 2023, c.266) (2026) An entity that “collects and/or purchases the personal data of a consumer with whom the person or legal entity does not have a direct relationship and sells or licenses data to third parties” Maybe. “Sells or licenses” isn’t strictly defined and “licenses” could arguably include non-cash arrangements.  Doesn’t apply to e-commerce/app platforms, 411 directory assistance, publicly available business/professional info, or real-time health/safety alert services. 

Excludes one-time asset sales and incidental data licensing. Otherwise, no company is exempt, but registration requirements scale with

revenue and processing volume.

OR HB 2052 (2023), HB 2008 (2025) “any business entity or part of a business entity that collects and sells or licenses ‘brokered personal data’ of Oregon residents” No. Sale can include exchanging data for valuable consideration, including non-cash trades. While still considered data brokers, businesses are exempt from broker compliance requirements if collection/sale/ licensing is strictly limited to publicly available business, professional, health and safety information, lawfully available government records, digital access to publishing/media works, e-commerce infrastructure, directory information services, or one-time/incidental asset sales. 
TX SB 2105 (2023);   SB 2121 (2025). 

See also: CUBI (2001)

“a business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data” No.  Transferring

can mean any disclosure, sharing, dissemination, or licensing of data, not just a monetary sale. Companies that enrich, analyze, or score PII they didn’t obtain directly are also included

Excludes service providers processing employee data for a third-party employer, entities sharing data within common ownership/ control, consumer reporting agencies under FCRA, and GLBA regulated entities. The broker label applies regardless of revenue, but only businesses making over half their revenue from transferring personal data, or processing/profiting at all from the data of 50,000+ individuals they didn’t collect directly, must comply with registration.
VT Act 171 (2018) A business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship Maybe. “Sells or licenses” is not strictly defined. “Licenses” could arguably include non-cash arrangements.  Does not apply to e-commerce/app platforms, 411 directory assistance, publicly available business/professional info, or real-time health/safety alert services. Excludes one-time asset sales and incidental data licensing. 

No revenue or threshold exemptions. 

CT and NJ’s data broker laws go into effect in 2027, all other laws listed are in effect today. 

While compliance thresholds vary, the basic definition of a data broker is more similar across states than different.

How to determine if you’re a data broker

Companies that make most of their profit obtaining and reselling data already know they’re data brokers and register accordingly. The gray area is everyone else: businesses that share data as a byproduct of their model but don’t market themselves as brokers. Broker registration isn’t free and the technical requirements are not trivial, so this is a real risk-benefit question, not just a compliance checkbox. 

A few factors matter most:

  • Sharing data: California isn’t the only state that counts a data transfer as a sale even when the benefit isn’t strictly monetary. If a data transfer doesn’t directly benefit the consumer whose data is shared, it needs a closer look.
  • Non-public information: Most data broker laws aren’t as concerned with entities that simply repackage already-public information. Additional requirements kick in once the data isn’t easily accessible elsewhere.
  • No direct relationship: Businesses are more likely to be classified as data brokers when they process personal data they didn’t obtain directly from the consumer, rather than data used only to service an existing direct relationship.

That last point is where the biggest variation between state definitions lies. 

Some laws exempt third-party data if it explicitly services a direct relationship, and some even permit re-sharing that data. Others, like the Delete Act, put an expiration date on the “direct relationship” exemption: continuing to process and share a consumer’s data long after the relationship ends can turn you into a broker. New Jersey goes further, classifying businesses with a direct consumer relationship that share data with brokers as separate “data collectors” under the same law.

The takeaway: If you license organized data sets or supply consumer data to a downstream buyer, read each law carefully before assuming you’re out of scope. California in particular has made clear that a company’s self-image won’t factor into its broker designation, and has flagged data broker registration as a key enforcement priority.

Compliance expectations, compared

Most privacy laws simply require data brokers to register with the state. Some go further, adding:

  • Documented disclosure of certain processing activities during registration
  • Independent audits of privacy, security, and/or ethical practices
  • Bans of certain data sales regardless of consumer consent
  • Centralized deletion for consumers who opt out through the state

Vermont was the first state to pass a data broker law, but California’s Delete Act inspired a wave of more demanding regulation, with steeper fees and more complex compliance obligations. See the specifics below.

State Registration fee Disclosures Audits Banned data sales Centralized deletion Other requirements
CA $6,000/yr Collecting data from minors; collecting precise geolocation or reproductive health data; DSR reporting metrics; sharing data with foreign actors, law enforcement, or generative AI developers Yes, independent third-party audits every 3 years effective 2028 No Yes, beginning August 1, 2026 on a 45 day compliance cycle.  None
CT $2,500/yr Facial recognition, surveillance pricing Yes, independent third-party audits every 3 years effective 2031 Yes, CT resident precise geolocation data cannot be sold.  Yes, beginning October 1, 2028.  Facial recognition and surveillance pricing practices must both also be communicated to consumers. Additional rules specific to DTC genetic testing. Must honor GPC signals.
NJ Tiered, between $5,000 to $1.5M/yr Consumer deletion and opt-out methods No Yes, sensitive data cannot be sold even with consent. No Must honor GPC signals.
OR $600/yr Consumer opt-out methods No Yes, geolocation data and the data of children under 16 cannot be sold even with consent.  No None
TX $300/yr Collecting known-child data No Yes, certain instances of biometric data cannot be sold or shared even with consumer consent.  No Must implement a specific security program or risk additional enforcement. Must clearly identify as a data broker on its website/app and tell consumers how to exercise their rights. 
VT $100/yr Whether it uses a purchaser- credentialing process, data breaches No No No Must maintain a comprehensive security program. Breaches risk additional enforcement. 

While these requirements are often collected into a single data broker specific state regulation, in some cases other privacy laws in the state also issue requirements specific to data brokers. These requirements are also listed above. 

Banning specific data from being sold

Some laws ban certain data types, or certain consumers’ data, from being sold at all, even with consent. These bans aren’t always specific to data broker laws: Oregon’s and Connecticut’s come from their state privacy laws, and Texas’ comes from a separate statute, the Texas Capture or Use of Biometric Identifier Act (CUBI).

Two more comprehensive state privacy laws added bans against certain types of data selling effective 2026: 

Expect more comprehensive state privacy laws to add similar bans.

Centralized deletion platforms

California built the first one. The Delete Requests and Opt-out Platform (DROP) lets a consumer submit one verified request that reaches every registered broker at once. Consumers have been able to submit requests since January 2026, and brokers can begin processing them on August 1, 2026. From that date, brokers must access DROP at least once every 45 days, delete matching records unless an exemption applies, report the status of each request, and maintain a suppression list so deleted data stays deleted. 

Connecticut is following the same path. SB 4 directs the Department of Consumer Protection to build an accessible deletion mechanism by July 1, 2028, after which registered brokers must check it at least every 45 days and process requests. 

By following California’s lead in this way, Connecticut may signal a trend. Other states considering data broker regulation will watch CA and CT closely before deciding if the model fits. 

Universal opt-out mechanisms

Centralized deletion isn’t the only way to cut friction for consumers. New Jersey law also requires brokers to honor Global Privacy Control (GPC) signals, automatically opting out any visitor who sends one. Connecticut requires this too, in addition to its centralized deletion process.

Many comprehensive state privacy laws now require all businesses, not just brokers, to honor universal opt-out mechanisms (UOOMs) like GPC. It’s more work for the consumer, who still has to visit each site individually, but it’s meaningfully less burdensome for the broker than a centralized platform.

Rising registration costs

Businesses on the border of the broker definition may be hesitant to register given increasingly high registration costs. New Jersey’s tiered fees top out at $1.5M a year for the largest brokers, and even smaller fees add up fast as more states pass their own laws.

The cost of noncompliance

But erring on the wrong side of registration has a cost too. Most data broker law penalty structures are built to compound. 

State Failure to register fine Additional fines
CA $200/day $200/day the broker fails to answer a deletion request within the required time frame, per request
CT $200/day/ consumer  $200/day the broker fails to answer a deletion request within the required time frame, per request
NJ Up to $2,500/day $50,000 fine per record of selling sensitive data. $2,500 registration penalty also applies for failure to timely update registration information. 
OR $500/day capped at $10,000/year $7,500 per violation of selling geolocation or minors data
TX $100 or more/day plus unpaid registration fees for each year unregistered, capped at $10,000/yr $25,000 per violation of selling or sharing biometric data. Security program noncompliance is actionable separately under the Texas DTPA. 
VT $50/day capped at $10,000/yr, plus an amount equal to fees owed during the unregistered period. $10,000 per violation of data broker security breaches or fraudulent acquisition/misuse of brokered personal information. 

Fines above reflect data broker and data selling related fines from any state laws, not just data broker-specific regulation. 

A year of failing to register as a broker can cost $18-913 thousand dollars per state. 

New Jersey is the most severe on paper.  Selling sensitive data in violation of A5328 carries a fine of $50,000 per record, and failure to register or update information draws up to $2,500 per day. Layer that on top of Daniel’s Law, New Jersey’s law protecting the home addresses and phone numbers of judges, prosecutors, and law enforcement officers, which sets minimum liquidated damages of $1,000 per violation, allows punitive damages, and makes claims assignable. That assignability has already fueled litigation against more than 100 data brokers.

However, fines from states with centralized deletion mechanisms shouldn’t be underestimated. By our calculations, based on CalPrivacy’s most recent statements on request volume, missing the first DROP compliance cycle could cost roughly $60 million for every day of noncompliance

This list is not exhaustive. Data brokers must also comply with comprehensive state privacy laws that apply to all qualifying organizations, not just data brokers, and come with their own fines. Any cost estimation of noncompliance must also consider laws providing a private right of action like the California Invasion of Privacy Act (CIPA) or Electronic Communications Privacy Act (ECPA). These laws target unauthorized access to private information rather than data brokers specifically, but are still nonetheless referenced by plaintiffs against brokers who deploy user tracking technology on their websites. 

Federal data broker regulation and enforcement

States aren’t the only U.S. regulators data brokers should watch. At the federal level, momentum has been uneven. The Consumer Financial Protection Bureau proposed a rule in December 2024 to treat many data brokers as consumer reporting agencies under the FCRA, then withdrew it in May 2025. Where Washington has moved, it has focused on national security. The Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) bars brokers from selling sensitive data to foreign adversary nations, and a Department of Justice rule restricts bulk data transfers to countries of concern.

The Federal Trade Commission, meanwhile, has pressed a steady series of enforcement actions against data brokers. Examples include:

  • Data brokers including X-Mode Social, InMarket Media, Mobilewalla, Gravy Analytics, and GM Motors were fined and in some cases banned from selling geolocation data that could be used to construe sensitive information
  • Avast was issued a $16.5M settlement for marketing a product as a privacy tool while silently selling users’ browsing history
  • GM Motors was banned from selling behavioral data with consumer reporting agencies without informed consent

FTC actions have consistently centered on consumer transparency, especially where a data sale affects a consumer’s pricing or exposes sensitive information. Selling precise geolocation data without clear consent draws the most scrutiny.

The future of data broker regulation

First, more states will likely build centralized deletion models. California’s DROP is the reference design, and Connecticut is building its own version. Expect more one-request-reaches-all mechanisms rather than leaving consumers to chase brokers individually.

Second, sensitive and location data will remain the practical focus. New state bans and federal enforcement both concentrate here, so precise geolocation, health, and similar categories carry the highest risk to sell or share.

Third, the definition of who must comply keeps widening. New Jersey created a separate “data collector” category for businesses that supply brokers, governed under the same law. 

The regulatory landscape is only getting more layered. Brokers now have to comply with federal law, 20 comprehensive state privacy laws, a growing set of broker-specific statutes, and a scattering of broker-relevant rules buried in otherwise unrelated laws.

What non-broker privacy teams should take from all this

Even if you’d never register as a broker, these laws preview where mainstream privacy obligations are heading. The smartest teams are treating them as a readiness checklist, not someone else’s problem.

Confirm your status before you assume you are exempt. California’s recurring lesson is that the broker definition catches businesses that do not see themselves as brokers, particularly once licensing and downstream data sharing are in scope. Map your data flows against each state’s definition. 

Build for automated, verifiable deletion now. DROP requires brokers to find, match, delete, and report on records within tight windows, then suppress that data going forward. Every privacy team faces some version of this through data subject requests, and the operational bar keeps rising. If deletion still runs on manual work and email threads, automating that process closes the gap before it shows under pressure.

Treat universal opt-out signals as a baseline. Global Privacy Control and similar mechanisms are now mandatory for any business that sells data or runs targeted advertising in a growing list of states, well beyond broker registries. Getting signal handling right is table stakes.

Know where your data lives and where it goes. You can’t delete, suppress, or report on data you can’t find, and you can’t avoid an illegal sale you didn’t know was happening. Visibility into your systems, third-party sharing, and shadow IT is the foundation everything else sits on.

Data brokers are just one category facing sharper scrutiny. Illinois’ Biometric Information Privacy Act (BIPA) inspired similar laws in Texas, Washington, and Utah, and Washington’s My Health My Data Act arrived the same year as Nevada’s SB 370. If your organization operates in any similarly scrutinized space, watching what happens next for data brokers is a reasonable preview of what’s coming for you. 

Getting a handle on data broker compliance

Meeting people’s privacy expectations is the first step toward compliance, and these laws are simply codifying expectations consumers already hold. Teams that can locate their data, automate deletion, honor opt-outs, and prove all of it will be ready for broker rules, and for whatever the next state passes.

DataGrail helps privacy, legal, and security teams do exactly that, with unified visibility into where personal data lives, automated request fulfillment, and built-in support for the newest deletion and opt-out obligations. Explore DataGrail’s DROP compliance solution and reach out for a walkthrough.

 

* While Montana is sometimes included on lists of data broker laws, it has not been included here. Senate Bill 282 prohibits local and state government agencies from purchasing data from brokers, but it does not issue brokers any specific requirements. Montana does not maintain a data broker registry, and while brokers must comply with the Montana Consumer Data Privacy Act, the law does not issue separate requirements for data brokers.

Contact Us image

Let’s get started

Ready to level up your privacy program?

We're here to help.