The sale of personal data has evolved from a niche industry practice into a multi-billion dollar economy that touches virtually every American. As someone who's spent years covering data privacy, I can tell you that the legal landscape surrounding personal data sales is fragmented, rapidly evolving, and varies dramatically depending on where you live. The short answer? Yes, selling personal data is generally legal in the United States—but with increasingly important exceptions and restrictions that vary by state.

Unlike the European Union's comprehensive GDPR framework, the U.S. has taken a patchwork approach to data privacy regulation. There's no federal law that broadly prohibits the sale of personal information, which means companies can legally collect, aggregate, and sell your data unless specific state laws or sector-specific federal regulations say otherwise. This creates a confusing situation where your rights depend heavily on your ZIP code.

Overview of the Legal Framework

The United States operates under what privacy experts call a "sectoral" approach to data protection. Rather than one comprehensive law, we have multiple federal laws covering specific types of data or industries, supplemented by an expanding patchwork of state regulations.

Federal Laws That Touch Data Sales

At the federal level, several laws restrict how certain types of personal information can be sold, though none create a blanket prohibition:

Health Insurance Portability and Accountability Act (HIPAA) strictly limits how covered entities—hospitals, health insurers, and healthcare clearinghouses—can use and disclose protected health information. Under 45 CFR § 164.502(a)(5)(ii), these entities generally cannot sell health information without explicit authorization. However, HIPAA doesn't cover health apps, fitness trackers, or most health-related websites, creating a significant loophole.

Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices and give consumers the right to opt out of certain data sharing. The law, codified at 15 U.S.C. § 6801-6809, doesn't prohibit data sales outright but requires transparency and opt-out mechanisms.

Children's Online Privacy Protection Act (COPPA) prohibits the sale of personal information from children under 13 without verifiable parental consent (15 U.S.C. § 6501-6506). This remains one of the strongest federal protections, though enforcement has struggled to keep pace with modern app ecosystems.

Fair Credit Reporting Act (FCRA) regulates how consumer reporting agencies can collect and share credit information, but its protections don't extend to the broader data broker industry that trades in non-credit personal data.

The Federal Trade Commission Act (15 U.S.C. § 45) gives the FTC authority to pursue "unfair or deceptive" practices, which has become the agency's primary tool for addressing data broker abuses. However, this reactive approach requires case-by-case enforcement rather than establishing clear rules upfront.

State Privacy Laws: The New Frontier

Since California passed the groundbreaking California Consumer Privacy Act (CCPA) in 2018, enhanced by the California Privacy Rights Act (CPRA) in 2020, at least 19 states have enacted comprehensive privacy laws. As of 2026, the following states have laws that specifically address data sales:

States with comprehensive privacy laws:

California (CCPA/CPRA - Cal. Civ. Code § 1798.100 et seq.)
Virginia (VCDPA - Va. Code Ann. § 59.1-575 et seq.)
Colorado (CPA - C.R.S. § 6-1-1301 et seq.)
Connecticut (CTDPA - Conn. Gen. Stat. § 42-515 et seq.)
Utah (UCPA - Utah Code Ann. § 13-61-101 et seq.)
Montana (MTCDPA)
Oregon (OCPA)
Texas (TDPSA)
Delaware (DPDPA)
Iowa (Iowa Consumer Data Protection Act)
Indiana (ICDPA)
Tennessee (TIPA)
Maryland (MODPA)
Minnesota (MCDPA)
Nebraska (NDPA)
New Hampshire (NHDPA)
New Jersey (NJDPA)
Kentucky (KCPA)
Rhode Island (RIDPA)

Each law takes a slightly different approach, but most share common elements: they define what constitutes a "sale" of personal data, require businesses to provide transparency about data practices, and give consumers rights to opt out of data sales.

California's framework remains the most robust. Under the CPRA, businesses must provide a clear "Do Not Sell or Share My Personal Information" link on their homepage. The law defines "sale" broadly to include exchanging personal information for "valuable consideration," which captures many arrangements that companies might not traditionally consider "sales."

Vermont took a different approach with its data broker registration law (9 V.S.A. § 2430 et seq.), which requires data brokers to register with the state and pay an annual fee, though it doesn't prohibit data sales outright. This transparency-focused approach has revealed that hundreds of data brokers operate in the shadows of the digital economy.

Who Is Covered and What's Protected

Understanding whether a particular data sale is legal requires knowing three things: what entity is selling the data, what type of data is being sold, and where the consumers whose data is being sold are located.

Business Thresholds and Exemptions

Most state privacy laws only apply to businesses that meet certain thresholds. California's CPRA, for example, applies to businesses that:

Have gross annual revenues exceeding $25 million
Buy, sell, or share personal information of 100,000 or more consumers or households annually
Derive 50% or more of annual revenue from selling or sharing consumers' personal information

These thresholds mean that smaller data brokers may escape regulation entirely, while larger companies like data aggregators and advertising technology platforms fall squarely within the laws' scope.

Importantly, most state laws exempt certain entities:

Government agencies
Nonprofit organizations (in some states)
Financial institutions already covered by GLBA
Covered entities under HIPAA (for protected health information)
Consumer reporting agencies regulated by FCRA (for credit reporting activities)

Types of Personal Data and Special Categories

State laws typically define "personal information" broadly as any information that identifies, relates to, or could reasonably be linked to a particular consumer or household. This includes:

Identifiers: Name, address, email, phone number, Social Security number, driver's license number, IP address, device IDs
Commercial information: Purchase history, browsing behavior, consumer preferences
Biometric data: Fingerprints, facial recognition data, voiceprints, retina scans
Internet activity: Browsing history, search history, interaction with websites or apps
Geolocation data: Precise physical location information
Professional information: Employment history, salary information
Education information: School records, degrees, transcripts
Inferences: Profiles reflecting preferences, characteristics, behavior, attitudes

Most laws create special protections for "sensitive personal information," which typically includes:

Social Security numbers, driver's license numbers, passport numbers
Account credentials and financial account information
Precise geolocation data
Racial or ethnic origin, religious beliefs, union membership
Genetic data and biometric data
Health information and sexual orientation
Personal information from children under 13 (or 16 in some states)

For sensitive data, many state laws require opt-in consent rather than just opt-out rights, creating a higher bar for legal data sales.

What Qualifies as a "Sale"

This is where things get nuanced. Under California's CPRA, a "sale" means "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration."

That phrase "other valuable consideration" is crucial. It means that even if no money changes hands, sharing data in exchange for something of value—like access to an advertising network, reciprocal data sharing, or enhanced services—may constitute a "sale" under the law.

However, most state laws carve out exceptions for certain disclosures that don't count as sales:

Sharing data with service providers who process data on the business's behalf under contract
Disclosures to complete a transaction the consumer requested
Transfers as part of a merger or acquisition
Disclosures required by law
Sharing with affiliates under common ownership

Understanding these distinctions matters because businesses must provide opt-out rights specifically for "sales" but not necessarily for all data sharing.

Step-by-Step Process for Understanding Your Rights

If you're trying to determine whether your personal data can be legally sold—or trying to stop such sales—here's how to navigate the current legal landscape.

Step 1: Determine Which State Laws Apply to You

Your rights depend primarily on where you reside. If you live in one of the 19 states with comprehensive privacy laws, you have statutory rights to opt out of data sales. If you don't, your options are more limited.

Keep in mind that some state laws have delayed effective dates or phased implementation. Check your state attorney general's website for the current status of enforcement.

Step 2: Identify the Businesses Selling Your Data

This is harder than it should be. Data brokers operate largely behind the scenes, collecting information from public records, online activity, purchase histories, and other brokers. The data broker industry includes an estimated 4,000+ companies, though only a fraction are widely known.

Major categories include:

People search sites: Spokeo, BeenVerified, Whitepages, Intelius
Marketing data aggregators: Acxiom, Epsilon, Oracle Data Cloud
Credit bureaus: Experian, Equifax, TransUnion (which also sell marketing data beyond credit reports)
Advertising technology companies: LiveRamp, Neustar, Lotame
Location data brokers: SafeGraph, Placer.ai, Foursquare
Health data brokers: IQVIA, Symphony Health, Komodo Health

Most consumers have profiles with dozens or hundreds of data brokers without knowing it. Services like GhostMyData scan across 2,100+ data brokers to identify where your information appears—far more comprehensive than attempting manual searches across the fragmented broker landscape.

Step 3: Exercise Your Opt-Out Rights

For businesses covered by state privacy laws, you have the right to opt out of data sales. Here's how:

For California residents under CCPA/CPRA:

Look for a "Do Not Sell or Share My Personal Information" link on the business's website (usually in the footer)
Click the link and follow the opt-out process
The business must honor your request within 15 days
You can also enable the Global Privacy Control (GPC) browser signal, which California businesses must honor as a valid opt-out request

For residents of other states with privacy laws:

Check the business's privacy policy for opt-out instructions
Most states require an accessible opt-out mechanism, though the specific implementation varies
Some states allow you to appeal if your request is denied

For data brokers specifically:

Visit the broker's website and look for privacy policy or opt-out links
Many brokers have dedicated opt-out pages (though finding them can be challenging)
Expect to provide identifying information to verify your identity
Understand that opting out from one broker doesn't affect your profiles with other brokers

The manual opt-out process is time-consuming and often frustrating. Data brokers may require you to submit requests through specific web forms, provide copies of identification, or navigate intentionally complex processes. Additionally, brokers may re-acquire your information from other sources after you opt out, requiring ongoing monitoring.

Step 4: Register with State Do Not Call and Marketing Lists

While these don't directly prevent data sales, they limit how your information can be used:

National Do Not Call Registry: Register at donotcall.gov or call 1-888-382-1222
DMAchoice: The Direct Marketing Association's opt-out service at dmachoice.org
NAI Opt-Out: Network Advertising Initiative's tool at optout.networkadvertising.org
DAA WebChoices: Digital Advertising Alliance's opt-out at optout.aboutads.info

Step 5: Monitor and Maintain Your Privacy

Data privacy isn't a one-time action. New data brokers emerge, existing brokers re-acquire data, and your digital footprint expands over time. Effective privacy management requires ongoing attention:

Periodically search for your name on people search sites
Review privacy policies of services you use
Use privacy-focused browser settings and extensions
Consider using a privacy removal service that provides continuous monitoring

Common Pitfalls and How to Avoid Them

Even with legal protections in place, consumers frequently encounter obstacles when trying to control how their data is sold.

Pitfall 1: Assuming Federal Law Protects You

Many people believe that federal law prohibits the sale of their personal information. In reality, federal protections are limited to specific sectors (health, finance, children's data) and don't cover the vast majority of personal data collected and sold by data brokers, social media platforms, and advertising networks.

How to avoid it: Understand that your primary protections come from state law. If your state hasn't enacted a comprehensive privacy law, consider advocating for legislation or using contractual tools (like terms of service and privacy settings) to limit data sharing.

Pitfall 2: Confusing "Opt-Out" with "Delete"

Opting out of data sales doesn't necessarily mean the business deletes your information. Under most state laws, these are separate rights. A business might honor your opt-out request but continue to retain your data for other purposes.

How to avoid it: If you want your data deleted, submit a separate deletion request (often called a "right to delete" or "right to erasure" request). Be aware that businesses can refuse deletion requests in certain circumstances, such as when they need the data to complete a transaction, detect fraud, or comply with legal obligations.

Pitfall 3: Not Verifying Your Identity Properly

Data brokers and businesses must verify your identity before honoring privacy requests to prevent fraudulent requests. However, the verification process itself can feel invasive, sometimes requiring you to provide additional personal information or copies of government IDs.

How to avoid it: Use the least invasive verification method offered. Some businesses allow verification through email or phone number confirmation. If you must provide an ID, check whether you can redact certain information (like your photo or ID number) while still proving your identity.

Pitfall 4: Missing Hidden Data Brokers

The data broker industry is vast and opaque. While you might successfully opt out from well-known people search sites, hundreds of lesser-known brokers continue to trade your information.

How to avoid it: Recognize that comprehensive privacy protection requires covering the entire broker ecosystem. Manual opt-outs typically reach fewer than 50 brokers—a fraction of the industry. Services like GhostMyData monitor 2,100+ data brokers, compared to competitors who typically cover only 35-500, ensuring more complete protection.

Pitfall 5: Believing "Legitimate Interest" Overrides Your Rights

Some businesses claim they can continue processing your data based on "legitimate interest" even after you opt out. While this is a valid legal basis under GDPR, most U.S. state laws don't recognize legitimate interest as a reason to override opt-out requests for data sales.

How to avoid it: If a business denies your opt-out request based on legitimate interest, check your state law. In California and most other states with comprehensive privacy laws, legitimate interest doesn't override your right to opt out of sales. Consider filing a complaint with your state attorney general if the business refuses to comply.

Pitfall 6: Ignoring the Global Privacy Control

The Global Privacy Control (GPC) is a browser setting that automatically signals your opt-out preference to websites you visit. California law requires businesses to honor GPC signals as valid opt-out requests, yet many people don't know it exists.

How to avoid it: Enable GPC in your browser settings. It's currently supported in browsers like Firefox, Brave, DuckDuckGo, and through browser extensions for Chrome and Edge. Visit globalprivacycontrol.org for implementation instructions.

Templates and Resources

Having the right language can make privacy requests more effective. Here are templates and resources to help you exercise your rights.

Opt-Out Request Template

```

Subject: Request to Opt Out of Sale of Personal Information

To Whom It May Concern:

I am a [State] resident writing to exercise my right to opt out of the sale of my personal information under [State Privacy Law].

Please immediately stop selling, sharing, or otherwise disclosing my personal information to third parties.

My information:

Name: [Your Full Name]

Email: [Your Email]

Phone: [Your Phone Number]

Address: [Your Address]

Please confirm receipt of this request and your compliance within the timeframe required by law.

Sincerely,

[Your Name]

```

Data Deletion Request Template

```

Subject: Request to Delete Personal Information