Many data brokers aren’t registering across state lines, privacy groups say

Hundreds of companies registered as data brokers in one U.S. state are not recognized as such in other states with similar disclosure laws, according to a new analysis by the Privacy Rights Clearinghouse and the Electronic Frontier Foundation.

The country has a data broker problem, with few meaningful laws at the federal or state level to curb the mass collection and resale of Americans’ data. These brokers are typically third-party companies that mine the internet, buy customer data from other businesses and otherwise acquire information on hundreds of thousands or millions of Americans with whom they’ve never directly done business.

But before policymakers can rein in the practice, they first must classify the offending companies.

The federal government has no legal definition for what constitutes a data broker, and in that absence states like California, Texas, Oregon and Vermont have passed their own laws requiring data brokers in their state to register and provide further information to the government on their practices.

But an analysis by EFF and the Privacy Rights Clearinghouse identified hundreds of companies that are registered as data brokers in one of those states but aren’t listed as such in the other three.

And those figures likely only scratch the surface of the gap, as there are likely numerous “shady” companies that don’t take steps to register in any states.

“This analysis only includes companies that registered in at least one state. It does not capture data brokers that completely disregard state laws by failing to register in any state,” wrote authors Mario Trujillo and Haley Tsukayama. “A total of 750 data brokers have registered in at least one state. While harder to find, shady data brokers who have failed to register anywhere should remain a primary enforcement target.”

The authors provided a spreadsheet detailing hundreds of businesses across the four states, links to their privacy and collection policies, business addresses, opt-out information and points of contact.

The authors aren’t claiming these companies are breaking the law. Some of those discrepancies may stem from the different ways states legally define a data broker.

California defines the term as any business “that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Texas’ law includes any business “whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual.” Oregon law covers any business or entity “that collects and sells or licenses brokered personal data to another person,” while Vermont’s covers any business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

All four states have numerous and sometimes differing exceptions for certain businesses and circumstances and “there are variations that could require a company to register in one state and not another.”

“To take one example, a data broker registered in Texas that only brokers the data of Texas residents would not be legally required to register in California,” the authors wrote. “To take another, a data broker that registered with Vermont in 2020 that then changed its business model and is no longer a broker, would not be required to register in 2025.”

Instead, the organizations are calling for state investigators to conduct greater scrutiny and oversight of their data broker industries. They sent letters to attorneys general in all four states highlighting the number of unregistered data brokers who may be operating in their state without disclosure.

“Our analysis is based on a straightforward premise: data brokers that self-identify as such by registering in other states — or those who registered in any state in previous years — may have obligations to register in California if they meet the statutory definition of a data broker under California law,” the authors and Privacy Rights Clearinghouse’s Emory Roane wrote to California Attorney General Rob Bonta on Tuesday.

Data privacy experts say that simply registering data brokers won’t reduce their appetite for consumer data on its own, but identifying and classifying who does and doesn’t fall under that definition is a crucial first step to any follow-up legal or policy actions to stem the practice.

Last year, privacy expert Justin Sherman told CyberScoop that while the lack of clarity around who is and isn’t considered a broker is a problem for policymakers, it’s insufficient to meaningfully crack down on a practice that has broadly compromised the personal information of most Americans.

“Making transparency and self-regulation the biggest focal points are data broker lobbying strategies to keep the burden on consumers,” Sherman said. Congress attempted to push data privacy legislation last year that would have set up a national registry for data brokers, but the effort broke down among infighting and failed to get a vote. The congressional push has now shifted to the Republican-led House Energy and Commerce Committee, which put out an RFI and is currently engaging with industry on how to craft such a bill, as well as individual members on the Democratic side who have promoted their own bills.