Data Broker Registration Gaps Exposed

The biggest lie about data broker regulation? That there's a system in place to catch bad actors.

Most people assume data brokers must register somewhere. That someone's watching. That if a company's collecting and selling your personal data, they're at least accountable to *someone*.

Wrong.

The U.S. has no federal privacy law. Zero. The entire regulatory framework is a patchwork of state laws with massive gaps. Hundreds of data brokers operate in these gaps—legally unregistered, largely invisible, and completely unaccountable.

The Data Broker Registration Myth vs Reality

Myth: Data brokers must register with the government before collecting your data.

Reality: Only a handful of states require data broker registration. California, Vermont, and Texas have registration laws. That's it. The other 47 states? Nothing.

Even in states with registration laws, enforcement is weak. In 2025, California had 499 registered data brokers. Our analysis of the data broker ecosystem identifies over 1,500 active brokers. Where are the other 1,000+?

They're operating in the gaps.

Myth: If a data broker violates privacy laws, they lose their license.

Reality: There's no license to lose. Data broker registration isn't a permission system—it's a disclosure system. Brokers pay a fee (typically $200-$400) and submit basic business information. That's it.

No background checks. No compliance audits. No ongoing oversight in most cases.

California's registration law requires brokers to disclose whether they allow opt-outs, but it doesn't *require* them to offer opt-outs. Vermont's law requires annual registration but includes no enforcement mechanism for non-compliance.

Myth: State privacy laws cover everyone equally.

Reality: State privacy laws only protect residents of that state. If you live in Florida, California's privacy law doesn't help you. The data broker selling your information to insurance companies, employers, and scammers? They only have to comply with Florida law.

Florida has no comprehensive privacy law.

This creates a race to the bottom. Brokers can incorporate in states with weak regulations and sell data nationwide. They only need to comply with the strictest state law when dealing with residents of that state—and only if they meet that state's thresholds for coverage.

Who's Covered and What's Protected Under Current Law

The data broker regulation patchwork creates confusing coverage gaps.

State-by-State Coverage

California (CCPA/CPRA): Covers businesses with $25M+ annual revenue, or those buying/selling personal info of 100,000+ California residents, or those deriving 50%+ revenue from selling personal info. Effective since 2020.

Vermont: Requires registration but doesn't grant residents deletion rights. Registration fee: $100 annually. Brokers must disclose data types collected and whether they allow opt-outs. That's it.

Texas (TDPSA): Effective July 2024. Covers businesses with $25M+ annual revenue that process data of 100,000+ Texas residents. Requires data broker registration starting January 2026.

Colorado, Connecticut, Virginia, Utah, Montana: Have consumer privacy laws but no specific data broker registration requirements. Coverage thresholds vary wildly.

Other 43 states: No comprehensive privacy law. No data broker oversight. Residents have essentially zero legal protection from data brokers.

What "Registration" Actually Means

Data broker registration laws sound protective. They're not.

California's law requires brokers to register annually and pay $400. They must disclose:

• Whether they allow opt-outs
• How to submit opt-out requests
• Whether they collect and sell minors' data

That's the entire requirement. No approval process. No compliance verification. No penalties for lying on the form (unless the Attorney General decides to investigate, which rarely happens).

Vermont's law is even weaker—just $100 and basic business information.

Registration creates a public list. That's helpful for services like GhostMyData that need to track brokers, but it doesn't stop brokers from operating. It doesn't force them to honor deletion requests. It doesn't prevent them from re-collecting your data next month.

The "Publicly Available" Loophole

This is the big one. State privacy laws exempt "publicly available information" from most protections. Sounds reasonable—if something's already public, why regulate it?

Here's the problem: Data brokers have weaponized this exemption.

"Publicly available" includes:

• Voter registration records (name, address, party affiliation)
• Property deeds and tax records (home value, purchase price, ownership history)
• Court records (lawsuits, divorces, bankruptcies)
• Professional licenses (real estate agents, contractors, healthcare providers)
• Marriage and birth certificates (depending on state)

Data brokers scrape these government databases, aggregate the information with purchase history and online behavior, then sell detailed profiles. All perfectly legal under current state privacy laws because the *source* data is public.

The FTC confirmed in multiple enforcement actions: no federal law prevents publishing publicly available information online, even when aggregated in privacy-invasive ways.

How Unregistered Data Brokers Exploit the Patchwork

The lack of federal privacy law creates exploitable gaps. Smart brokers know exactly where those gaps are.

Strategy 1: Incorporate in Weak States

Data brokers can incorporate anywhere. Many choose Delaware (favorable business laws) or Nevada (strong privacy for corporate records, weak privacy for individuals).

They then operate nationwide but only comply with state laws that specifically apply to them. If they stay under California's revenue thresholds, they ignore CCPA. If they don't specifically target Vermont residents, they skip Vermont registration.

Enforcement is nearly impossible. A Texas resident whose data is sold by a Delaware-incorporated broker operating servers in Nevada? Good luck figuring out which state's Attorney General has jurisdiction.

Strategy 2: Registration Shopping

Some brokers register in one state but not others. Our analysis of registration databases found brokers listed in California but not Vermont, or vice versa.

Why? Because registration requirements differ. California requires disclosure of data types and opt-out procedures. Vermont just wants basic business info. Texas requires describing cybersecurity practices.

Brokers register where it's easiest or where they face the most legal risk, then ignore states with stricter requirements.

In 2025, we identified 35 brokers that registered in California but added "noindex" tags to their opt-out pages—making them invisible to search engines. Technically compliant with registration requirements, but practically impossible for consumers to find.

Five registered brokers offered no opt-out page at all. They're still on California's registered broker list.

Strategy 3: The Re-Aggregation Game

Here's how brokers exploit the "publicly available" exemption and weak state laws simultaneously:

You submit an opt-out request. The broker complies and deletes your profile. Three months later, your data reappears on the same site.

What happened? The broker re-scraped public records. New property tax filing. Updated voter registration. Court document from that traffic ticket. Each is a "new" data collection event, not covered by your original opt-out.

Technically legal. Practically, it makes opt-outs worthless.

State privacy laws don't require brokers to suppress your data permanently. They only require honoring the specific deletion request. When the broker collects your data again from a public source, they can re-list you.

This is why continuous monitoring matters. Based on our removal data across 1,500+ brokers, 60-70% of profiles reappear within 6 months without ongoing suppression requests.

Strategy 4: Identity Verification Barriers

CCPA allows brokers to require identity verification before processing deletion requests. Makes sense—they shouldn't delete the wrong person's data.

But some brokers weaponize this requirement.

LexisNexis requires government-issued ID *and* proof of address. Acxiom uses a knowledge-based verification quiz with questions only someone with access to your full data profile could answer. Epsilon requires notarized forms for some requests.

Under CCPA, if a broker can't verify your identity, they must treat the request as an opt-out of data sales. Many brokers don't comply with this requirement. They just reject the request entirely.

The average person gives up after one or two rejections. Brokers know this. The friction is the point.

Strategy 5: The Shell Game

Some brokers operate multiple brands. Same company, different websites, separate "legal entities" for registration purposes.

One entity registers in California. Another operates in Texas. A third handles Virginia residents. All share the same database.

You opt out of one site. Your data remains on the other two. You'd need to identify all three brands (not disclosed anywhere), submit separate requests to each, and hope they all comply.

Our database tracks these relationships across 1,500+ brokers. We've identified broker networks with 5-10 consumer-facing sites, all pulling from shared data infrastructure, all requiring separate opt-out requests.

What California's DROP Portal Changes (and Doesn't)

California is launching the Delete Request Online Portal (DROP) in August 2026. It's the most significant data broker regulation to date.

How DROP Works

DROP creates a single portal where California residents can submit deletion requests to *all* registered California data brokers at once. No more tracking down individual broker opt-out pages. No more submitting dozens of separate requests.

Key requirements:

• Brokers must check DROP for new deletion requests every 45 days
• Brokers must process requests within 45 days of receiving them
• Failure to comply: $200 per day per violation
• Covers all 499+ registered California data brokers

This is huge for California residents. It eliminates the friction that makes individual opt-outs impractical.

What DROP Doesn't Fix

DROP only covers *registered* California data brokers. The 1,000+ unregistered brokers? Not included.

DROP only protects California residents. If you live anywhere else, you're on your own.

DROP doesn't solve the re-aggregation problem. Brokers can still re-collect your data from public records and re-list you. You'd need to submit new DROP requests every few months.

DROP doesn't cover brokers below California's coverage thresholds. Small brokers, brokers with under $25M revenue, brokers that don't meet the 100,000-resident threshold—all exempt.

DROP doesn't address the "publicly available" exemption. Brokers can still aggregate and sell public records data.

And DROP is California-only. The other 49 states still have the same patchwork of weak laws and massive gaps.

The Federal Privacy Law Gap: Why It Matters

The absence of federal privacy law isn't just a theoretical problem. It creates real harm.

Identity Theft and Fraud

Data brokers sell to anyone. "Skip tracing" services sell your current address, phone number, and relatives' names for $1-5. "People search" sites publish your home address, age, and household members for free.

Scammers use this information for:

• Targeted phishing (using real family names and addresses to seem legitimate)
• Account takeover (answering security questions with broker data)
• SIM swapping (using your address and phone number to convince carriers to port your number)
• Tax fraud (filing fake returns with stolen personal info)

The FTC reported 5.7 million fraud reports in 2023, with losses exceeding $10 billion. Data brokers provide the raw material for much of this fraud. As we covered in our guide to how data brokers fuel identity theft, breached data gets aggregated by brokers within weeks—making removal urgent after any breach.

Stalking and Harassment

Domestic violence survivors fleeing abusers face a terrifying reality: data brokers publish their new addresses within weeks of moving.

Address confidentiality programs exist in most states, but they only cover government records. Data brokers can still obtain and publish addresses from:

• Utility hookup records
• Change of address filings
• Vehicle registration (in states where this is public)
• Property ownership (if they buy instead of rent)

Current state privacy laws don't prioritize survivor safety. California's CCPA includes no special protections. Vermont's law doesn't grant deletion rights at all.

A federal privacy law could mandate immediate deletion for at-risk individuals. The current patchwork offers nothing.

Employment and Housing Discrimination

Data brokers sell "risk scores" to employers and landlords. These scores incorporate:

• Eviction records (even if the eviction was dismissed)
• Arrest records (even if charges were dropped)
• Bankruptcy filings
• Medical liens
• Neighborhood demographics (which can serve as proxies for race)

Current state laws rarely cover employment or housing screening. Employers and landlords can buy and use this information with minimal legal constraints.

The Fair Credit Reporting Act (FCRA) covers some employment screening, but data brokers have structured products to fall outside FCRA's definition of "consumer report." They call them "people search" or "information services" instead.

Without federal privacy law, there's no comprehensive protection against discriminatory use of broker data.

What You Should Actually Do

The system is broken. That doesn't mean you're powerless.

Understand Your State's Protections

Check whether your state has a privacy law. If you're in California, Colorado, Connecticut, Virginia, or Utah, you have deletion rights. Use them.

If you're in Vermont or Texas, check whether brokers are registered. Registration lists are public—they're a starting point for identifying which brokers have your data.

If you're in one of the 43 states with no privacy law, you have no legal right to deletion. Some brokers will honor requests anyway (to avoid reputational harm), but they're not required to.

Start with a Free Exposure Check

Before you can remove your data, you need to know where it is. Our free exposure check scans the most common high-risk data brokers and shows you what's already public.

This is especially urgent if you've been affected by any data breach in the past year—breached data gets aggregated by brokers within weeks, creating new exposure even if you've never appeared on these sites before.

Don't Rely on One-Time Removals

The re-aggregation loophole makes one-time removals nearly useless. Brokers re-scrape public records every 3-6 months. Your data reappears unless you're continuously monitoring and re-submitting requests.

Based on our removal data across 1,500+ brokers, profiles reappear on 60-70% of sites within six months without ongoing suppression.

Continuous monitoring isn't optional anymore. It's the only strategy that works against the re-listing loophole.

Focus on Volume

The average person appears on 200-300 data broker sites. Removing yourself from 10-20 sites barely makes a dent.

GhostMyData monitors 1,500+ brokers—far more than competitors' 35-500. The coverage difference matters. A broker you've never heard of can publish your address, phone number, and relatives' names. Scammers and stalkers don't just check the big-name sites.

If you're dealing with stalking, harassment, or identity theft, comprehensive coverage isn't a luxury. It's necessary.

Navigate the Identity Verification Barriers

Some brokers make opt-outs intentionally difficult. LexisNexis requires government ID. Acxiom uses knowledge-based quizzes. Epsilon wants notarized forms.

These barriers are ones we navigate on behalf of users. We maintain relationships with broker compliance teams, know which verification methods each broker accepts, and handle the back-and-forth when requests get rejected.

You can do this yourself, but expect to spend 20-40 hours tracking down opt-out procedures, submitting requests, and following up on non-responses.

Wait for DROP (If You're in California)

California's DROP portal launches August 2026. If you're a California resident, this will make bulk deletion much easier—at least for registered brokers.

But DROP doesn't cover unregistered brokers, doesn't solve re-aggregation, and doesn't help residents of other states. It's a significant improvement for California residents, but not a complete solution.

Advocate for Federal Privacy Law

The real solution is federal legislation. Comprehensive privacy law with:

• Mandatory data broker registration nationwide
• Universal deletion rights regardless of state
• Penalties for non-compliance that actually hurt (not $200/day slaps on the wrist)
• Elimination of the "publicly available" loophole for aggregated data
• Special protections for at-risk individuals (DV survivors, minors, public officials)

Contact your Congressional representatives. Support organizations like the Electronic Frontier Foundation (EFF) and Consumer Reports that lobby for privacy legislation.

The patchwork won't fix itself.

Consider Automated Protection Now

With a limited-time spring privacy sale running through March 31, 2026, it's a good time to start continuous monitoring. Pro plans drop to $7.49/month for the first year, and Enterprise plans to $16.87/month—less than the cost of a single identity theft insurance claim.

The sale pricing auto-applies at checkout. Start with our free scan to see your current exposure, then decide whether ongoing monitoring makes sense for your risk profile.

The data broker registration patchwork won't change quickly. The lack of federal privacy law means unregistered brokers will keep operating in the gaps. Automated removal across 1,500+ brokers isn't perfect—the "publicly available" exemption is one tech alone can't fix—but it's the most effective strategy available under current law.

The system is broken. You can still protect yourself while we fight to fix it.