Most Privacy Services Don't Know What a Data Broker Actually Is

Ask ten privacy companies to define "data broker" and you'll get ten different answers. Some include dating apps. Others list background check companies. A few even target review platforms like Yelp.

The problem? California law already defines it. And most privacy services are getting it wrong.

The Legal Definition: CA Civil Code Section 1798.99.80

The California Delete Act (SB 362, effective January 2024) provides the clearest statutory definition of a data broker in the United States:

A "data broker" is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.

The critical phrase is "does not have a direct relationship." This single test separates legitimate data brokers from companies that collect your data because you gave it to them.

The Direct Relationship Test

Under CA Civil Code Section 1798.99.80(d), a company is NOT a data broker if it has a direct relationship with the consumer whose data it holds. This means:

Companies That ARE Data Brokers

People-search sites (Spokeo, WhitePages, BeenVerified) — they aggregate your data from public records without your knowledge or consent
Data aggregators (Acxiom, Oracle Data Cloud, LexisNexis Risk Solutions) — they buy, compile, and resell consumer data at scale
Marketing data companies (Datalogix, Epsilon, LiveRamp) — they build consumer profiles from purchased data

Companies That Are NOT Data Brokers

Dating apps (Match.com, Bumble, Hinge) — you created an account and voluntarily provided your data
Background check firms (HireRight, Sterling, Checkr) — subjects consent under FCRA Section 604 before any check is run
Review platforms (Trustpilot, ConsumerAffairs) — users voluntarily post their own reviews
Real estate platforms (Zillow, Redfin) — they aggregate public county records but also maintain direct user relationships

Why This Distinction Matters

For Consumers

If a privacy service sends unauthorized removal demands to companies that aren't data brokers, several things can happen:

Your requests get ignored — the company has no legal obligation to comply
It wastes your time — every failed request is a removal that could have targeted an actual broker
It can backfire — companies may flag your account or take legal action against the service

For the Industry

When privacy services send thousands of removal requests to non-brokers, it undermines the entire data removal industry:

Companies start ignoring legitimate requests because they're overwhelmed with invalid ones
Regulators question whether the industry understands the laws it claims to enforce
Consumers lose trust when they see "removals" from sites that were never data brokers

The California Data Broker Registry

California maintains an official data broker registry at the California Privacy Protection Agency. Every company that meets the statutory definition must register and pay an annual fee.

Key facts about the registry:

Over 500 registered data brokers as of 2026
Companies face fines of $200 per day for failing to register
The Delete Act requires brokers to honor deletion requests within 45 days
Registration is public — anyone can verify if a company is a registered broker

If a company is NOT on California's registry and does NOT meet the statutory definition, sending them a "data broker removal request" has no legal basis.

Gray Areas: Where It Gets Complicated

Some companies genuinely straddle the line:

Zillow aggregates public property records (broker behavior) but also has millions of direct user accounts (direct relationship)
Healthgrades compiles doctor data from public license records but also hosts patient reviews
Yelp aggregates business data but is primarily a user-generated content platform

The honest answer is that these are legally ambiguous. At GhostMyData, we classify them as "gray area" and exclude them from automated removal requests until the legal landscape clarifies. We'd rather be accurate than aggressive.

How GhostMyData Handles This

We built a compliance verification system that applies the statutory direct relationship test to every single entry in our broker directory:

Legal classification — every source is categorized as STATUTORY_DATA_BROKER, DIRECT_RELATIONSHIP, SERVICE_PROVIDER, GRAY_AREA, or MONITORING_ONLY
Daily compliance monitoring — automated checks verify opt-out URLs are healthy and classifications are current
Weekly audits — full directory review flags any entries that may need reclassification
Conservative approach — when in doubt, we exclude rather than risk sending unauthorized requests

The result: every removal request we send is backed by a verified legal basis under California law.

What to Look for in a Privacy Service

When evaluating data removal services, ask these questions:

Do they define "data broker" anywhere? If not, they may be targeting the wrong companies.
Do they reference specific privacy laws? Legitimate services cite CCPA, the Delete Act, or GDPR.
Do they distinguish between data brokers and other companies? If they claim to remove you from "dating apps" or "review sites," they may not understand the law.
Do they verify their broker directory? Ask how often they audit their list and what legal standard they apply.

Frequently Asked Questions

What is the legal definition of a data broker?

Under California Civil Code Section 1798.99.80, a data broker is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.

Are dating apps data brokers?

No. Dating apps like Match.com, Bumble, and Hinge have direct relationships with their users — you create an account and voluntarily provide your data. They are excluded from the data broker definition under California law.

Are background check companies data brokers?

Most consent-based background check companies (HireRight, Sterling, Checkr) are not data brokers because subjects consent to the check under FCRA Section 604. However, some companies like The Work Number (an Equifax subsidiary) collect employer data without employee consent and are registered on California's broker registry.

How many data brokers are there?

California's official registry lists over 500 registered data brokers. The total number of companies that broker personal data globally is estimated at 4,000 or more, though many operate without registering as required by law.

Can I remove my data from a company that isn't a data broker?

You can request deletion under CCPA or GDPR regardless of whether a company is a data broker. However, the specific "data broker deletion" rights under the California Delete Act only apply to registered data brokers.

What Is a Data Broker? The Legal Definition Most Privacy Services Get Wrong