Data Broker Registration Services

We can help with everything from data broker registration to setting up subject rights request software to automate the requests as they come in and avoid very expensive daily fines from states like California & Connecticut.

So who qualifies, which states regulate data brokers, what does each law require, and how Captain Compliance’s data broker registration services  make your organization compliant quickly, affordably, and durably?

A full breakdown below but if you want to book a demo and get right into it click here

1. What Is a Data Broker?

A data broker (sometimes called an “information broker” or “data aggregator”) is a business or individual that collects personal information about consumers from a wide variety of sources — public records, social media, loyalty programs, purchase histories, location data, and more — and then sells, rents, licenses, or otherwise provides that information to third parties, often without the consumer’s direct knowledge.

Data brokers operate across a remarkable range of industries. Common examples include:

• People-search sites that compile addresses, phone numbers, relatives, and background records (e.g., Spokeo, BeenVerified, Whitepages).
• Marketing data providers that sell audience segments and lead lists to advertisers.
• Risk and fraud analytics companies that provide identity verification and creditworthiness signals.
• Healthcare data companies that aggregate prescription, claims, or patient-level data for pharmaceutical or insurance clients.
• Location data brokers that aggregate device-level GPS signals and sell mobility insights.
• Financial data aggregators that compile transaction-level data for lenders, insurers, or fintech companies.

The legal definition of a data broker varies by state, so an entity that falls outside the definition in one jurisdiction may still be covered in another. This is precisely why applicability assessments — the first step in any serious data broker compliance program — are so important.

2. Who Must Register — and Why It Matters

The broad strokes of data broker law apply to any company that meets three general criteria:

1. It collects personal information (or receives it from another party).
2. It does not have a direct relationship with the consumers whose data it processes (i.e., consumers are not the business’s direct customers or employees).
3. It sells, licenses, trades, or shares that information with third parties for monetary or other valuable consideration.

The “direct relationship” carveout is critical. Banks that share data only with affiliates, retailers that share purchase history only to fulfill orders, and employers that process employee data are generally not data brokers. However, companies that derive revenue by selling or licensing consumer data to unrelated third parties — even if that is only a secondary business activity — often qualify.

Why does registration matter beyond basic legal compliance? Four reasons stand out:

• Avoid escalating financial penalties. Fines range from hundreds to thousands of dollars per violation per day, and regulators are actively ramping up enforcement.
• Protect your right to operate. Some states require registration before a data broker may legally begin collecting or selling data about state residents.
• Honor consumer rights. Registered brokers must participate in state opt-out and deletion mechanisms, building consumer trust and reducing litigation exposure.
• Prepare for audits. Registered brokers in states like California face mandatory independent audits; advance preparation dramatically reduces audit risk.

3. State-by-State Data Broker Registration Requirements

As of mid-2026, four U.S. states have enacted comprehensive data broker registration statutes with active enforcement mechanisms: California, Texas, Vermont, and Oregon. Below is a detailed breakdown of each.

4. California Delete Act & CalPrivacy Registration

California’s Delete Act (SB 362), signed into law in 2023 and administered by the California Privacy Protection Agency (CalPrivacy), is the most comprehensive data broker law in the United States. It builds on the California Consumer Privacy Act (CCPA) and creates a unified deletion mechanism for consumers.

Who Qualifies Under California Law?

A “data broker” under the Delete Act is a business that knowingly collects and sells to third parties personal information about a consumer with whom the business does not have a direct relationship. Importantly, the law excludes consumer reporting agencies regulated by the FCRA, entities subject to HIPAA, and businesses that are already subject to other comprehensive California privacy obligations.

California Registration Requirements

• Annual registration with CalPrivacy by January 31 each year.
• Registration fee on a sliding scale: $0 for micro-businesses, up to $3,000 for large enterprises.
• DELETE Request and Opt-Out Platform (DROP) participation — brokers must process deletion requests submitted through CalPrivacy’s centralized consumer portal.
• Mandatory independent audits beginning in 2028, assessing compliance with CCPA and the Delete Act.
• Disclosure of data practices, including categories of data collected and third parties to whom data is sold or shared.

What Is the DROP Platform?

The Delete Request and Opt-Out Platform (DROP) is a centralized system created by CalPrivacy that allows California consumers to submit a single deletion request that applies to all registered data brokers simultaneously. This is a major shift: brokers can no longer require consumers to submit individual requests to each company. Registered brokers must integrate with DROP and honor deletion requests within 45 days, with a possible 45-day extension.

California Penalties

Unregistered data brokers are subject to civil penalties of $200 per day for each day they fail to register. Failure to process DROP deletion requests or honor other obligations can result in additional penalties and regulatory action.

5. Texas Data Broker Act

Texas’s Data Broker Act (Texas Business & Commerce Code, Chapter 503) is notable for imposing the most extensive operational requirements of any state data broker law — including mandatory security programs, staff training, and website disclosures.

Who Qualifies Under Texas Law?

A “data broker” in Texas is a business that collects and sells or licenses to third parties personal information about individuals with whom the business does not have a direct relationship. Unlike California, Texas does not limit coverage by revenue or size — even small businesses may qualify.

Texas Registration Requirements

• Register before operating as a data broker in Texas — this is a pre-commencement obligation, not an after-the-fact filing.
• Annual renewal by September 1, with a $300 registration fee paid to the Texas Secretary of State.
• Website disclosure — brokers must prominently disclose on their website or app that they are a data broker.
• Comprehensive information security program — brokers must implement a written security program with administrative, technical, and physical safeguards appropriate to the size and complexity of the business and the sensitivity of the data handled.
• Third-party service provider oversight — the security program must include provisions for assessing and monitoring the security practices of third-party vendors who handle personal data on the broker’s behalf.
• Staff training — employees with access to personal data must be trained on the broker’s privacy and data security obligations at least annually.

Texas Penalties

The Texas Attorney General has enforcement authority and may impose civil penalties up to $10,000 per violation. Each day of continued non-compliance following notice may constitute a separate violation.

6. Vermont Data Broker Regulation

Vermont was the first state in the United States to enact a data broker registration law, doing so in 2018. Vermont’s law (9 V.S.A. §§ 2446–2447) is administered by the Vermont Attorney General’s office and the Secretary of State.

Vermont Registration Requirements

• Annual registration with the Vermont Secretary of State by January 31, at a $100 fee.
• Opt-out disclosure — brokers must disclose whether they offer consumers an opt-out of their data being sold or licensed, and must provide instructions for how to exercise that opt-out.
• Purchaser credentialing statement — brokers must disclose whether they have a process for credentialing (vetting) the buyers of personal data.
• Security incident reporting — brokers must report data breaches involving Vermont residents to the Attorney General’s office.
• Data practices disclosure — the registration must identify the categories of personal data collected, the sources used to collect it, and the categories of entities to whom data is sold or licensed.

Vermont Penalties

Violations of Vermont’s data broker law are subject to enforcement by the Attorney General, with civil penalties up to $10,000 per violation. Vermont has historically been an active enforcer of consumer data protection laws.

7. Oregon Data Broker Registration Law

Oregon’s data broker law (Oregon Revised Statutes §§ 646A.570–.581), which took effect in 2024, is administered by the Oregon Department of Consumer and Business Services (DCBS).

Oregon Registration Requirements

• Register before collecting, selling, or licensing brokered personal data about Oregon residents — like Texas, this is a pre-commencement requirement.
• Annual renewal with DCBS; registration fees are established by agency rulemaking.
• Data practices disclosures covering categories of personal data collected, sources used, and categories of entities to whom data is sold or licensed.
• Consumer opt-out rights — brokers must honor consumer requests to opt out of the sale of their personal data and must provide clear instructions on how to submit those requests.

Oregon Penalties

DCBS may impose civil penalties of up to $2,000 per violation, and the Oregon AG may bring enforcement actions for systemic violations.

8. Emerging State Laws to Watch in 2026

The data broker regulatory landscape is evolving rapidly. Several additional states are at various stages of proposing, drafting, or passing data broker registration or comprehensive privacy laws that include data broker provisions. Businesses that operate nationally should monitor developments in states including:

• New Jersey — passed the New Jersey Data Privacy Act in 2024 with data broker-relevant provisions.
• Florida — Florida’s Digital Bill of Rights (HB 1547) includes consumer rights applicable to data brokers.
• Illinois — proposed legislation would extend its existing Biometric Information Privacy Act obligations and add data broker registration requirements.
• New York — the New York Privacy Act (repeatedly introduced) would impose obligations closely tracking those in CPRA and could include data broker registration requirements.
• Federal action — the American Privacy Rights Act (APRA), introduced in 2024, would establish a federal data broker registration registry with the FTC if enacted, preempting or supplementing state laws.

Captain Compliance monitors all legislative developments so your compliance program stays ahead of the curve, not behind it.

9. Data Broker Compliance Checklist

Use this checklist as a starting point for your data broker compliance program. Note that requirements vary significantly by state — this is a general overview, not legal advice.

10. Consequences of Non-Registration

The cost of ignoring data broker registration obligations is real and escalating. Here is what non-compliant organizations face:

• Daily accumulating fines. California imposes $200/day per violation; Texas up to $10,000 per violation; Vermont up to $10,000 per violation. A company that operates unregistered for a full year could face fines exceeding $70,000 in California alone — before accounting for other states or individual violations.
• Injunctive relief and forced cessation of operations. States can seek court orders requiring a data broker to stop collecting or selling consumer data until it comes into compliance.
• Reputational harm. Regulatory enforcement actions are typically public. Being named in an enforcement action can damage your brand, relationships with enterprise clients, and ability to enter new markets.
• Private litigation exposure. While most data broker statutes do not include a private right of action, CCPA (which overlaps significantly with the Delete Act) does permit individual and class action suits for data breaches affecting certain categories of data.
• Downstream contract risk. Data buyers increasingly require their data supplier partners to certify compliance. Non-registration can cost you enterprise contracts.

11. How Captain Compliance Helps with Data Broker Registration

Captain Compliance provides end-to-end data broker registration services designed for businesses of all sizes — from early-stage startups just entering the data economy to established enterprises managing multi-state compliance programs. Unlike traditional law firms that charge premium hourly rates for every touchpoint, Captain Compliance delivers efficient, technology-enabled compliance support that gets you registered and keeps you compliant.

12. Captain Compliance vs. Traditional Compliance Firms

13. Frequently Asked Questions About Data Broker Registration