Data brokers are organizations that collect large amounts of raw personal information online and offline, analyze it, and then sell it to other companies (e.g., advertisers, financial entities, and insurance providers), who will mostly use it for marketing purposes. This practice may not be as well-known as other privacy topics. Still, it’s almost certain that everyone has had their personal information fall into the hands of a data broker along the data supply chain.
Remember when you skimmed through your personal email account and noticed several advertisements from a company you have not done business with trying to pitch an exclusive rewards card to one of your favorite coffee shops, and wondered how the company knows your name and email address? That’s the work of a data broker.
The data broker industry is not as new as some people may think, but it creates data protection and privacy concerns, especially when there is a lack of rules regulating this industry. This article will break down what data brokerage entails, highlight key enforcement actions, and explore what legislation and guidance are currently in place.
How data brokers collect personal information
Data brokers collect all types of personal information ranging from basic information (e.g., name, contact information, email address) to sensitive and intrusive personal information (e.g., gender, income level, geolocation, health data). They have a variety of means to collect personal information, including:
| Source | Description |
|---|---|
| Direct collection | Data brokers may:
Online agreements and terms of service may state in fine print that the company has the right to collect and share personal information from its users, but these disclosures may not be clear to users. |
| Indirect collection | Data brokers will search for personal information from a variety of sources, such as public records, including voter registration, birth certificates, and criminal records, and data from online browsers, internet searches, and users’ interactions with apps or websites. |
| Inference | Data brokers may use algorithms to make predictions or draw inferences from seemingly non-personal data or consumers who have never directly shared such information. |
| Government sources | Postal services may be leveraged to collect information about a person’s address and/or determine if someone changed their address, and the U.S. Census Bureau can be used to gather data about certain demographics of a particular location, income levels, etc. |
| Commercial sources | Data brokers can also acquire personal information from various commercial sources, such as retailers, catalog companies, financial services, and other data brokers. |
How do data brokers impact data privacy?
Individuals who enjoy the convenience of receiving personalized ads and services could argue that there is little harm in data brokers collecting and sharing personal information with companies. However, this practice may lead to multi-faceted impacts of mistreatment in other industries.
For example, a data broker collects an individual’s personal and geolocation data and infers that they are a car enthusiast and spend their weekend at a race track. A car dealership purchases this information to offer the individual special deals, but an insurance company analyzing that same information might infer that the individual is a reckless driver and may impose a higher insurance rate.
Data brokerage can present cybersecurity concerns. Data brokers retain large volumes of personal information, which increases the risk of data being susceptible to a data breach and becoming compromised in the event of a cyberattack on their database.
Enforcement actions
The Federal Trade Commission (FTC) has been doubling down on irresponsible data brokerage and has finalized several settlements with companies such as Mobilewalla, Inc. and Avast Limited.
On January 14, 2025, the FTC finalized a settlement with Mobilewalla, Inc. after the company collected over 500 million unique consumer identifiers with precise location data that were not anonymized. Mobilewalla failed to remove sensitive location data from the identifiers, making identifying individuals and their visited locations possible. The company also analyzed and created audience segments—for example, targeting pregnant women based on their visits to pregnancy centers—and sold this data to third parties such as advertisers and other data brokers.
On June 27, 2024, the FTC also finalized an order against Avast Limited, banning the company from selling or licensing data for advertising purposes. Avast falsely claimed their software product blocked tracking cookies, but in reality, they collected and sold consumer browsing data in an identifiable format without notice or consent.
What’s being done to regulate data brokerage in the U.S. federally?
Two federal legislations curb data brokerage: the final rules from the Department of Justice (DOJ) on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern of Covered Persons (Final Rules), pursuant to EO 14117, and the Protecting Americans’ Data from Foreign Adversaries Act.
The Final Rules on preventing access to U.S. government-related data and bulk sensitive data
Published on December 27, 2024, the Final Rules prohibits or restricts U.S. persons or companies from engaging in covered data transactions that allow a country of concern or covered persons to access government-related or sensitive personal data of specific thresholds. Countries of concern include China, Cuba, Iran, North Korea, Russia, and Venezuela, and covered persons are foreign persons or entities located in or owned by residents of countries of concern if they participate in covered data transactions.
Covered data transactions include prohibited transactions and restricted transactions. Specifically, prohibited transactions include:
- U.S. companies that hold bulk human ‘omic data and engage in data brokerage with covered persons;
- U.S. persons and companies participating in data brokerage with covered persons that involve the transfer of U.S. government-related data or bulk sensitive personal data;
- U.S. persons and companies participating in transactions that allow foreign persons (a non-covered person) access to government-related data or bulk sensitive personal data via data brokerage, unless the person or company:
- Establishes a contractual agreement that obligates the foreign person to refrain from participating in any covered data transaction that involves data brokerage of the same data with a country of concern or covered person;
- Reports any known or suspected violation of the contractual agreement with the foreign person. The report must contain a prescribed list of material and be filed within 14 days of becoming aware of the violation.
Protecting Americans’ Data from Foreign Adversaries Act (PADFA)
PADFA, in effect since June 23, 2024, prohibits data brokers from selling, licensing, providing access to, or otherwise making available sensitive data of Americans to foreign adversaries or entities controlled by foreign adversaries. Foreign adversaries include China, Iran, North Korea, and Russia.
Under PADFA, the FTC has enforcement powers to seek civil penalties of up to $50,120 when a data broker commits a violation.
What actions are being taken to regulate data brokerage at the state level?
Four states have enacted data broker laws:
- California’s Delete Act;
- Oregon’s Act Relating to Registration of Business Entities that Qualify as Data Brokers;
- Texas’ Data Broker Act;
- Vermont’s Act Relating to Data Brokers and Consumer Protection.
Registration requirements
An essential requirement for data brokers doing business in any of the four states is to register their name and contact information, disclose their practices with the competent authority, and pay a required fee. However, each state’s requirements contain some nuances:
- Oregon and Texas specify a renewal process for data brokers to renew their registration once it expires, which must be accompanied by a renewal fee;
- Oregon and Vermont require data brokers to, if they provide individuals the option to opt out of the collection (or, only applicable to Oregon, the collection, sales, and licensing) of their brokered personal data/information, disclose information about which of their activities of collection or sales does the opt-out function apply;
- Texas and Vermont require data brokers to provide a statement about whether or not they implement a purchaser credentialing process, the number of security breaches experienced during the prior year and the total number of consumers affected, and its data collection and sales practices and opt-out policies applicable to minors/known children, if they process data of a known minor/child;
- California requires data brokers to provide a link to their website that provides information about how consumers may exercise their privacy rights and disclose whether and to what extent data brokers and their subsidiaries are regulated by specific laws (e.g., the federal Fair Credit Reporting Act).
Unique data broker requirements
- California’s CPPA will develop a deletion mechanism that enables consumers to request every data broker to delete their data via a single request. Starting on August 1, 2026, all data brokers and their processors must access the mechanism and comply with all deletion requests within 45 days. Additionally, by July 1 following each calendar year, data brokers must report on and record the average time taken to consumer rights requests, the number of requests received, complied with or denied, and the number of requests denied in whole or in part due to certain reasons;
- Oregon’s law establishes an exception to its registration requirement, providing that a data broker may collect, sell, or license brokered personal data without registering only if certain conditions are met (e.g., data collection, sales, or licensing involves only providing publicly available information);
- Texas requires data brokers who maintain an Internet website or mobile application to display a conspicuous notice on their website/application, disclosing that a data broker maintains the platform;
- Vermont prohibits data brokers from obtaining brokered personal data through fraudulent means for the purposes of stalking someone, committing a fraud, or participating in discriminatory activities;
- Texas and Vermont require data brokers to develop a comprehensive information security program and implement computer system security measures to safeguard all records that contain personal data.
How are data brokers being regulated in Europe?
Europe does not have a specific law regulating the data broker industry, but the GDPR still applies because data brokerage involves processing individuals’ personal data. For example, to demonstrate GDPR compliance, data brokers should send affected data subjects a notification email informing them that their personal data was obtained from a source other than the data subject themselves. The email should include instructions and tools for opting out of the data broker’s database.
The United Kingdom’s Information Commissioner’s Office and Lithuania’s Data Protection Inspectorate published guidance on responsible data brokerage, advising on what to assess to ensure data brokers demonstrate lawful practice.
Key things to consider before working with data brokers
- Simply accepting a data broker’s claim that the personal data they supply complies with relevant laws is not enough;
- Research if there are specific laws or rules applicable to certain industries and jurisdictions that regulate the use of data brokers;
- Consult with data protection authorities or experts for advice and best practices before working with data brokers;
- Conduct due diligence on potential data brokers to ensure their data collection and selling practices are legal, for example:
- Confirm that consumers were informed about what they consented to and notified when their data was sold to third parties;
- Ensure they cross-check collected data against opt-out lists;
- Verify how they handle consumer rights requests.
- Clearly inform consumers that their data was obtained from data brokers.
- Verify that there is a legal basis for processing brokered personal data.
- Using a data broker and including a contractual clause for compliance with data protection laws does not excuse the data controller’s own responsibilities.
Be ready to comply with new laws and regulations
Irresponsible data brokerage can be a hidden issue that could bubble up and result in significant non-compliance with relevant laws. Careful considerations about where and how personal data are collected must be made throughout the data processing lifecycle. Data brokerage is a growing industry that involves many nuances.
Privacy Intelligence, On Demand
Stay ahead of the curve with instant access to global laws, legal analyses, and ready-to-use templates—powered by Nymity Research.
Explore Nymity Research
Seamless Consent, Smarter Preferences
Take the hassle out of consent management. Collect, track, and honor user preferences across brands, regions, and channels while staying ahead of evolving privacy regulations.
Master consent today
