State Data Broker Laws Compared: CT, CA, TX, VT, MT

We provide a data subject request automation software to ensure compliance with the state data broker laws. Data brokers — companies that collect, compile, and sell personal information about individuals — are now regulated under a patchwork of state laws that vary dramatically in scope, enforcement teeth, and consumer rights. Connecticut’s data broker registration law, effective October 2025, joins California, Vermont, Texas, Oregon, Montana, and a growing list of states that have decided the industry needs a leash.

If you’re a data broker trying to stay compliant, a business that buys data, or a privacy professional advising clients, this guide breaks down every major state data broker law in force or imminent — what they require, what they penalize, and how they stack up against each other.

What Is a “Data Broker” Under State Law?

Before comparing laws, it’s worth understanding that “data broker” is not a universally defined term and knowing how its defined in the regulators eyes is the way to avoid future legal issues as even car companies like Ford are registered as data brokers even though they don’t fit a data broker in the traditional sense of the word. Each state draws the line differently, and whether your business qualifies as a data broker in one state may not settle the question in another.

• California defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
• Vermont defines it as any entity that, for profit, regularly collects and sells personal information about Vermont consumers to third parties without a direct relationship with those consumers.
• Connecticut adopts similar language, covering businesses that knowingly collect brokered personal data from consumers with whom they have no direct relationship and sell or license that data to third parties.
• Texas focuses on businesses engaged in the sale of personal information, with carve-outs for certain regulated industries.
• Oregon and Montana follow frameworks modeled partly on California and Vermont, with state-specific carve-outs.

Common exemptions across most states include: financial institutions subject to GLBA, covered entities and business associates under HIPAA, consumer reporting agencies under FCRA, and government entities.

Connecticut Data Broker Law: Registration, Requirements, and Penalties

Overview

Connecticut’s data broker registration framework was established under Public Act 24-140, signed into law in 2024, with the registration requirement taking effect on October 1, 2025. It amends the Connecticut Data Privacy Act (CTDPA) framework and creates standalone obligations for data brokers operating in the state.

Who Must Register

A business must register as a data broker in Connecticut if it:

• Knowingly collects brokered personal data about Connecticut consumers
• Does not have a direct relationship with those consumers
• Sells, licenses, trades, or otherwise discloses that data for monetary or other valuable consideration
• Conducts business in Connecticut or targets Connecticut residents

“Brokered personal data” under Connecticut’s framework includes name, address, date of birth, place of employment, financial account numbers, payment card numbers, government-issued identifiers, and other categories of personal information that are not publicly available from government sources.

Registration with the CT Department of Consumer Protection

Connecticut data brokers must register annually with the Connecticut Department of Consumer Protection (DCP) — not the Office of the Attorney General, which is a key structural difference from some other states.

Registration requirements include:

• Annual registration fee: $100 per year
• Submission deadline: January 31 of each calendar year (with first registration due by January 31, 2026, covering activity in 2025)
• Required disclosures at registration:
  • Legal name and primary physical address of the data broker
  • Name and contact information of a designated privacy officer or compliance contact
  • A description of the categories of brokered personal data collected
  • A description of the data broker’s data collection practices, including sources
  • Information about the data broker’s opt-out mechanism and how consumers can exercise rights
  • Whether the data broker implements a comprehensive data security program
  • Whether the data broker has experienced a data breach in the prior calendar year involving brokered personal data of Connecticut residents

The DCP is required to maintain a publicly accessible registry of all registered data brokers, giving Connecticut residents a searchable tool to identify who is selling their data.

Consumer Rights Under the CT Framework

Connecticut’s data broker law ties into the broader CTDPA consumer rights framework:

• Right to opt out of the sale of personal data
• Right to opt out of targeted advertising using brokered data
• Right to deletion of brokered personal data upon verified consumer request
• Data brokers must provide a clear and conspicuous opt-out mechanism on their website, which must be easy to find and use without requiring account creation

Security Requirements

Connecticut data brokers must implement and maintain a comprehensive data security program that includes:

• Administrative, technical, and physical safeguards appropriate to the size, scope, and nature of the data broker’s activities
• A written information security program (WISP)
• Data breach response procedures consistent with Connecticut’s existing breach notification law

Penalties for Non-Compliance

Enforcement authority rests with the Connecticut Attorney General, not the DCP. Penalties include:

• Failure to register: Civil penalty of up to $10,000 per year of non-registration
• Violation of data security requirements: Civil penalties under the CTDPA enforcement framework, up to $5,000 per violation
• Violation of consumer rights obligations: Up to $5,000 per willful violation, consistent with CTDPA enforcement
• Cure period: The AG must provide a 60-day cure period before initiating enforcement action (this cure period sunsets on December 31, 2025)
• No private right of action — enforcement is exclusively through the AG

Action Items for CT Compliance

• Determine whether your business meets the CT definition of a data broker by October 2025
• Prepare registration materials for the January 31, 2026 deadline
• Audit your opt-out mechanism to ensure it meets CT’s conspicuousness and accessibility standards
• Review your WISP and update to reflect Connecticut’s data security expectations
• Designate a privacy officer or compliance contact for DCP registration purposes

California Data Broker Law: The Gold Standard (and the Template)

Overview

California has the most mature and robust data broker regulatory framework in the country, comprising two separate but interlocking laws: the Data Broker Registration Law (Civil Code § 1798.99.80 et seq.), effective January 1, 2020, and significant amendments and additions under the Delete Act (SB 362), signed in 2023 with phased implementation through 2026.

Who Must Register

California’s definition is relatively broad: any business that knowingly collects and sells to third parties the personal information of California consumers with whom the business does not have a direct relationship. The $25 million revenue threshold under CCPA does not apply to data broker registration — there is no revenue minimum.

Registration with the California Privacy Protection Agency (CPPA)

California data brokers must register annually with the California Privacy Protection Agency (CPPA):

• Annual registration fee: $1,200 (increased from the original $400 under the Delete Act)
• Registration deadline: January 31 of each year
• Required disclosures:
  • Business name, physical address, email address, and website
  • Description of the categories of personal information sold
  • Information about whether the data broker sells data of minors
  • Whether the data broker sells data related to reproductive health
  • Opt-out link and description of opt-out process
  • A link to the data broker’s privacy policy

The CPPA maintains a public registry at cppa.ca.gov.

The Delete Act: A National First

California’s Delete Act (SB 362) created a landmark mechanism: a single, centralized deletion request mechanism that, once invoked by a consumer, requires all registered data brokers to delete that consumer’s data. Key implementation dates:

• August 1, 2026: CPPA must establish the accessible deletion mechanism
• January 1, 2028: Data brokers must be able to receive and honor deletion requests through the mechanism
• Data brokers must conduct annual reviews of any data belonging to consumers who submitted deletion requests to ensure data stays deleted

Consumer Rights

• Right to opt out of sale via the data broker’s own opt-out link (must be “clear and conspicuous”)
• Right to deletion through both the individual data broker and the centralized Delete Act mechanism
• Enhanced rights for reproductive health and other sensitive data categories

Penalties

• Failure to register: Civil penalty of $200 per day of non-registration, up to a maximum of $200 × number of days (no cap specified, creating potentially unlimited liability for long-term non-filers)
• Violations of the Delete Act: Civil penalties up to $200 per consumer per day for failure to process deletion requests — a dramatically higher exposure than registration failure alone
• CPPA enforcement authority is primary; AG retains concurrent jurisdiction
• No private right of action under the data broker registration law (distinct from CCPA, which has a limited private right of action for data breaches)

Vermont: The Pioneer State

Overview

Vermont enacted the first dedicated data broker registration law in the United States in 2018 (9 V.S.A. § 2430), making it the template that later states borrowed from. Vermont’s law is narrower in scope than California’s but was groundbreaking for its time.

Registration

• Register annually with the Vermont Secretary of State
• Annual fee: $100
• Deadline: January 31
• Disclose: type of data collected, opt-out availability, security practices, known data purchaser categories, and whether the data broker has had a data breach in the prior year

Consumer Rights

• Opt-out right for data used in targeted advertising and certain other sales
• No centralized deletion mechanism (unlike California)
• Data brokers must disclose if they offer opt-out and how to exercise it

Penalties

• Enforcement by the Vermont Attorney General
• Civil penalties up to $10,000 per violation under the Consumer Protection Act
• Failure to register is treated as a deceptive trade practice
• No private right of action

Texas Data Broker Law

Overview

Texas enacted its data broker law under HB 4 (2023), effective September 1, 2023. Texas’s approach focuses primarily on registration and opt-out rights, and it notably covers data brokers broadly regardless of revenue size — a significant departure from some Texas privacy law thresholds.

Registration

• Register with the Texas Secretary of State
• Annual fee: $300
• Deadline: January 31 each year
• Required disclosures: business name, address, website, categories of data sold, opt-out mechanism details
• Texas maintains a public registry of registered data brokers

Opt-Out Requirements

Texas law requires data brokers to offer consumers the ability to opt out of the sale of personal data for targeted advertising and other specified uses. Data brokers must establish a “clear and conspicuous” opt-out mechanism on their website.

Penalties

• Enforcement by the Texas Attorney General
• Civil penalty of up to $10,000 per violation
• Failure to register: $10,000 per year of non-registration
• Deceptive Trade Practices Act violations may layer additional penalties
• No cure period mandated for data broker registration violations (distinct from the Texas Data Privacy and Security Act)

Oregon Data Broker Law

Overview

Oregon’s data broker registration requirement was created under HB 2052 (2023), part of the same legislative session that produced the Oregon Consumer Privacy Act. The law is effective January 1, 2024 for registration obligations.

Registration

• Register with the Oregon Department of Consumer and Business Services
• Annual fee: $300
• Deadline: January 31
• Required disclosures mirror Vermont and California: business information, data categories, opt-out mechanism, security practices, and breach history

Consumer Rights

• Opt-out rights tied to the broader Oregon Consumer Privacy Act framework
• Data brokers must honor global opt-out signals (GPC) — a notable requirement
• Right to deletion for certain categories of data

Penalties

• Enforcement by the Oregon Attorney General
• Civil penalty up to $7,500 per violation
• Failure to register: civil penalty up to $500 per day of non-registration
• No private right of action

Montana Data Broker Law

Overview

Montana enacted its data broker registration law under SB 351 (2023) as a companion to the Montana Consumer Data Privacy Act. It is effective October 1, 2024.

Registration

• Register with the Montana Secretary of State
• Annual fee: $50 (the lowest of any state)
• Deadline: January 31
• Disclose: business name, address, website, data categories, opt-out process, security program certification, breach history

Consumer Rights

• Opt-out of sale and targeted advertising use
• Deletion rights tied to the Montana Consumer Data Privacy Act

Penalties

• Enforcement by the Montana Attorney General
• Civil penalty up to $7,500 per violation
• 60-day cure period required before enforcement action
• No private right of action

Other Emerging State Frameworks

Florida

Florida’s Digital Bill of Rights (SB 262, 2023) does not create a standalone data broker registration law but imposes obligations on “data brokers” as a category within its broader privacy framework. Florida’s law applies only to controllers with $1 billion+ in revenue, limiting its reach considerably. Data brokers meeting that threshold must honor opt-out rights for profiling and targeted advertising.

Indiana

Indiana’s Consumer Data Protection Act (HEA 1547, effective January 1, 2026) does not contain dedicated data broker registration requirements but imposes opt-out and deletion obligations on entities that function as data brokers under its definitions of “controller” and “sale of personal data.”

Maryland

Maryland’s Online Data Privacy Act (SB 541, effective October 1, 2025) is notable for including explicit “data broker” provisions and requiring registration with the Maryland Attorney General’s office. Maryland’s framework is among the newest and most comprehensive in the Mid-Atlantic region. Details on fee amounts and exact registration procedures were still being finalized as of mid-2025.

Nevada

Nevada SB 220 (2019) and subsequent amendments require certain data brokers to establish opt-out mechanisms for the sale of “covered information.” Nevada’s law is narrower than Vermont’s and does not include a registration registry — it focuses primarily on the opt-out obligation. Penalties for violation: up to $5,000 per violation enforced by the Nevada AG.

State-by-State Comparison Table

State	Law / Effective Date	Registration Body	Annual Fee	Registration Deadline	Max Penalty (Non-Registration)	Max Penalty (Violation)	Cure Period	Private Right of Action	Centralized Deletion Mechanism
California	Civil Code § 1798.99.80 / Jan 1, 2020; Delete Act / 2026	CPPA	$6,000	January 31	$200/day (no cap)	$200/consumer/day (Delete Act)	None (registration); varies (other)	No (registration); Limited (CCPA breach)	Yes (2026)
Vermont	9 V.S.A. § 2430 / 2018	Secretary of State	$100	January 31	Up to $10,000/violation	$10,000/violation	None specified	No	No
Connecticut	PA 24-140 / Oct 1, 2025	Dept. of Consumer Protection	$100	January 31	$10,000/year	$5,000/willful violation	60 days (sunsets Dec 31, 2025)	No	No
Texas	HB 4 / Sep 1, 2023	Secretary of State	$300	January 31	$10,000/year	$10,000/violation	None for registration	No	No
Oregon	HB 2052 / Jan 1, 2024	Dept. of Consumer and Business Services	$600	January 31	$500/day	$7,500/violation	None specified	No	No
Montana	SB 351 / Oct 1, 2024	Secretary of State	$50	January 31	Up to $7,500/violation	$7,500/violation	60 days	No	No
Nevada	SB 220 / Oct 1, 2019	No registry — opt-out only	N/A	N/A	N/A	$5,000/violation	None specified	No	No
Maryland	SB 541 / Oct 1, 2025	Attorney General	TBD	TBD	TBD	Up to $10,000/violation	60 days (initial period)	No	No

Data Broker Registration Act Differences Between CT & CA

Registration Body

One of the most operationally significant differences between Connecticut and California is who you register with. California routes registration through the California Privacy Protection Agency, a purpose-built privacy regulator with deep expertise and its own rulemaking authority. Connecticut routes registration through the Department of Consumer Protection — a general consumer protection agency — while leaving enforcement to the Attorney General. This bifurcation means Connecticut data brokers have two relevant agencies to track, not one.

Registration Cost by State

Deletion Mechanism

California’s Delete Act is genuinely without peer. No other state has created or committed to a centralized, consumer-facing deletion request mechanism that binds all registered data brokers simultaneously. When it launches in 2026, a California consumer will be able to make a single request that flows to every registered data broker. Connecticut, Vermont, Texas, Oregon, and Montana all require data brokers to honor individual deletion requests made directly — a far more burdensome process for consumers and one that most will never navigate. This asymmetry is one of the strongest arguments for a federal data broker law.

Per-Violation vs. Per-Day Penalties

California’s Delete Act penalty structure — $200 per consumer per day — is the most aggressive in the country. For a data broker with one million California consumer records who fails to process a deletion request for 30 days, theoretical maximum exposure exceeds $6 billion. Even accounting for enforcement discretion, this structure is designed to be existentially threatening to non-compliant brokers. Connecticut’s $5,000 per willful violation structure is comparatively modest, more closely resembling Vermont and Montana’s approach.

Cure Periods

Connecticut and Montana both provide a 60-day cure period — but Connecticut’s sunsets on December 31, 2025, after which the AG can pursue enforcement without prior notice. California provides no cure period for data broker violations. Oregon and Nevada also provide no formal cure period under their data broker frameworks. Texas provides no cure period specifically for registration failures, though the TDPSA cure provision applies to broader privacy violations.

Opt-Out Mechanism Requirements: What All States Agree On

Despite significant variation in registration, fees, and penalties, all data broker laws share a core requirement: data brokers must provide consumers with a mechanism to opt out of the sale of their personal information. The specific standards differ, but several principles are universal:

• Conspicuousness: The opt-out link or button must be easy to find — typically on the homepage or in the website footer — and must not require consumers to navigate through multiple pages or create an account to access it.
• No discrimination: Data brokers cannot charge consumers a fee, reduce service quality, or otherwise penalize consumers for exercising opt-out rights.
• Verification: Data brokers may require consumers to verify their identity before processing opt-out requests, but the verification process must not be unnecessarily burdensome.
• Response timelines: Most states require opt-out requests to be honored within 45 days, with a potential extension of another 45 days for complex requests.
• Global Privacy Control (GPC): Oregon currently has the most explicit GPC-honoring requirement for data brokers. California requires CCPA-covered businesses to honor GPC, which effectively extends to many data brokers. Connecticut’s CTDPA requires GPC recognition but the specific application to registered data brokers’ brokered data activities is still being clarified.

Data Security Requirements Across States

Data broker registration laws almost universally require data brokers to maintain “reasonable” data security programs, but the specificity varies:

• Connecticut: Requires a comprehensive data security program with written documentation; breach notification obligations under Connecticut’s breach notification law apply.
• California: The CPPA’s cybersecurity audit requirements (effective 2024 under CPRA regulations) apply to high-risk data processors, which will capture large data brokers. Registration disclosures must include confirmation of security practices.
• Vermont: Data brokers must disclose whether they have a security program and must report prior-year breaches at registration time.
• Texas: Reasonable security measures are required; Texas’s data broker law does not specify detailed security program elements beyond the general requirement.
• Oregon: Security requirements align with Oregon’s existing breach notification law and the Oregon Consumer Privacy Act’s security expectations.
• Montana: Reasonable security measures; registration must certify the existence of a security program.

Sensitive Data: Where CT and CA Part Ways Significantly

California’s Delete Act and associated CPPA regulations have created heightened protections for specific sensitive data categories that appear in brokered datasets:

• Reproductive health information
• Immigration status
• Mental health records
• Precise geolocation
• Data about minors

California’s registration form specifically asks data brokers whether they sell data about minors and whether they sell reproductive health data — disclosures that feed directly into heightened enforcement scrutiny. The CPPA has signaled that data brokers handling these categories are priority enforcement targets.

Connecticut’s CTDPA also identifies sensitive data categories with heightened protections, but the specific interaction with data broker registration disclosures is less granular than California’s framework. Connecticut data brokers selling sensitive categories should treat the California standards as a practical compliance floor.

Vermont, Texas, Oregon, and Montana all restrict the processing of certain sensitive data categories under their broader privacy laws, with varying definitions of what qualifies as sensitive.

Federal Landscape: Will a National Data Broker Law Override State Laws?

The American Privacy Rights Act (APRA), which advanced further than most federal privacy bills in 2024, included data broker registration provisions that would have created a national registry administered by the FTC. APRA stalled in 2024, but its data broker provisions reflected broad bipartisan consensus that a federal registry is necessary.

Any enacted federal data broker law would almost certainly preempt some state registration requirements — but likely not state enforcement rights or state-specific sensitive data protections. Until a federal law passes, operating in all states with data broker registration requirements simultaneously remains the only compliant path for national-scale data brokers.

Compliance Checklist: Operating Across All Data Broker Jurisdictions

1. Conduct a data broker status analysis in every state where you have registered users or sell data — the definition differs enough across states that you may qualify in some and not others.
2. Calendar all January 31 registration deadlines across CA, VT, CT, TX, OR, and MT — they all share the same annual deadline.
3. Budget registration fees: ~$2,150/year minimum across the six fee-charging states, plus Maryland (TBD) once finalized.
4. Audit your opt-out mechanism against the strictest applicable standard — California’s — and ensure it meets GPC requirements for Oregon-connected consumers.
5. Review your WISP and ensure it is documented, up-to-date, and satisfies Connecticut’s written program requirement, which is the most explicitly documented of any state.
6. Track the California Delete Act timeline (2026 mechanism launch; 2028 data broker compliance deadline) and begin technical preparation now.
7. Disclose prior-year breaches at registration time for VT, CT, and MT — failure to do so at registration is independently actionable.
8. Designate a privacy officer or compliance contact — required explicitly by Connecticut, and a best practice for all state registrations.
9. Monitor Maryland’s implementation details as its October 2025 effective date approaches.
10. Watch for a federal data broker bill — any enacted law will reset compliance obligations, but the state registration infrastructure you’ve built will transfer value to federal compliance.

CT Is a Serious Law in a Growing Patchwork

Connecticut’s data broker law is not the most aggressive state law on the books — California holds that distinction, and the Delete Act will deepen that lead through 2026. But Connecticut’s framework is well-designed, operationally specific, and enforced by an AG’s office that has demonstrated willingness to use CTDPA enforcement authority. The January 31, 2026 registration deadline is not a soft target, and the cure period’s December 31, 2025 sunset means that by the time most data brokers read their first registration confirmation, the free pass is already gone.

The larger strategic reality is that the era of informal data brokering — collecting, compiling, and selling personal data without any accountability infrastructure — is ending state by state. Seven states now have registration requirements. Another five to eight are in active legislative consideration for 2025–2026 sessions. A federal law remains possible within the next two congressional sessions. Data brokers that build compliance infrastructure now — one centralized registration function, one documented security program, one robust opt-out mechanism — will absorb new state requirements at marginal cost. Those that don’t will face the choice between emergency compliance sprints and mounting penalties, state by state, year by year.

Captain Compliance helps data brokers build the compliance infrastructure to navigate this patchwork efficiently. Whether you’re preparing your first Connecticut registration or auditing your opt-out mechanism across all seven states, our team can build and maintain your data broker compliance program from the ground up.

Contact Captain Compliance today for a data broker compliance assessment tailored to your state footprint and let us protect you against expensive fines for non-compliance.