Data Broker Privacy Compliance: Our Top 5 List

With the current patchwork of data privacy laws, compliance can be challenging for any business. The compliance landscape may be even more fraught with risk for data brokers, given various data broker registration requirements, the panoply of general state privacy laws, and the specter of federal enforcement. As such, to help mitigate compliance risk, data brokers may want to consider the following:

1. Expansive Scope. Data broker is broadly defined. In California, it means, with limited exception, any “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Exceptions exist for entities covered by the Federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and data exemptions also exist for entities, and their business associates, to the extent they process electronic personal health information. Put otherwise, an entity may be a data broker even though historically it has not thought itself as such.
2. Data Broker Registration Laws. Currently, California, Oregon, Texas and Vermont have generally applicable data broker registration laws. California and Vermont require registration by January 31 of a given year. In recent months, the California Privacy Protection Agency has not been reticent about fining data brokers for failing to register (see: https://cppa.ca.gov/announcements/2024/20241114.html; https://cppa.ca.gov/announcements/2024/20241223.html). The penalty for failing to register on time is $200 per day. Needless to say, registering in February, while still after the deadline, will be much less costly than registering in September.
3. Information Security. The Vermont and Texas data broker registration laws have fairly robust information security requirements. California has taken a different approach, baking cybersecurity audits into the current rulemaking package under the CCPA (see: https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_ins_text.pdf). A complementary approach is to consider the measures required under the new proposed modifications to the HIPAA Security Rule (see our earlier article on this topic: https://www.stoelprivacyblog.com/2025/01/articles/hipaa/a-deeper-dive-into-the-proposed-modifications-to-the-hipaa-security-rule/). The requirements under the HIPAA Security Rule are widely recognized as the gold standard for data protection, so it makes sense to review them. Even if not technically required, a data broker should consider performing, for example, an annual security risk assessment, as a best practice, to help reduce the risk of an information security incident.
4. State Supplemental Privacy Notices. There are 20 general state privacy laws on the books, with more than a few becoming operative before the end of 2026. Only a handful, including California and Texas, have pure monetary thresholds for applicability. The others, and California as well, apply to businesses or controllers that process the personal information of a certain number of consumers (residents) of a given state or whose business consists primarily of selling or sharing the personal information of a (lower) number of consumers of that state. Most businesses, with the possible exception of large retailers (and then in respect to the general processing, and not sale or sharing), will not reach these thresholds. Many data brokers will. Accordingly, not only will a data broker need to publish a website privacy notice (which, as drafted, could cover both its online and offline operations), but, practically, it will need to prepare and publish a state privacy supplemental notice for all states with a currently operative general privacy law. As such, while the CCPA, for example, requires an annual review and if appropriate an update to the privacy notice (which must cover both online and offline operations), given new laws, the review and updating cycle is semi-annual (and, of course, more frequent if there are material data processing changes).
5. Know Your Data/Customer (and Track Applicable Developments). While at the federal level lighter touch enforcement is expected, the processing of sensitive personal data, including precise geolocation data, will remain a focus area for the Federal Trade Commission. Similarly, and especially with respect to sensitive personal data, where any of it may be purchased or sold, a close eye will need to be kept on vetting suppliers and securing reasonable assurances from downstream recipients that such data will be handled appropriately and securely. To that end, a periodic review of inbound purchase (or license) and outbound sale (or license) template agreements is warranted. Similarly, given the fluidity and increasingly rapid rate of change in the current regulatory environment, continuously tracking of bills which may apply to data brokers (including general data privacy bills with imbedded data broker registration requirements) becomes vitally important.

We will discuss additional aspects of the data broker regulatory landscape in future articles, including a deeper dive into the Vermont data broker registration law (2018), the first one in the country, and follow up with additional examination of data broker laws and developments in other states, including California.