Why Are Hundreds of Data Brokers not Registering with States?

Data broker registrations by state versus total identified brokers (750). The gap between registered brokers and the reference line represents brokers that may be required to register but have not yet done so, highlighting significant compliance gaps across all state registries.

Posted: June 20 2025

Written in collaboration with the Electronic Frontier Foundation

A unified database of 750+ data brokers across five state registries—and the compliance gaps we found

Hundreds of data brokers have not registered with state consumer protection agencies. These findings come as more states are passing data broker transparency laws that require brokers to provide information about their business and, in some cases, give consumers an easy way to opt out.

In recent years, California, Texas, Oregon, and Vermont have passed data broker registration laws that require brokers to identify themselves to state regulators and the public. A new analysis by Privacy Rights Clearinghouse (PRC) and the Electronic Frontier Foundation (EFF) reveals that many data brokers registered in one state aren’t registered in others.

PRC and EFF sent letters to state enforcement agencies urging them to investigate these findings. More investigation by states is needed to determine whether these registration discrepancies reflect widespread noncompliance, gaps and definitional differences in the various state laws, or some other explanation.

Download the data

We're making this entire database freely available under Creative Commons CC-BY-NC-SA 4.0 licensing for researchers, policymakers, advocates, and the public. Please credit Privacy Rights Clearinghouse when using this data.

Please credit Privacy Rights Clearinghouse when using this data. For commercial uses or if the CC-BY-NC-SA 4.0 license terms don't work for your specific implementation, please reach out to us directly through our contact form.

We encourage researchers to build on this foundation and look forward to seeing how this data enables new insights into data broker practices.

Download Database (xlsx)

Companies that registered in one state but did not register in another include: 291 companies that did not register in California, 524 in Texas, 475 in Oregon, and 309 in Vermont. These numbers come from data analyzed from early April 2025.

Privacy Rights Clearinghouse has advocated for data broker transparency for decades. Following Vermont's pioneering data broker registry law in 2019, the California Delete Act and subsequent laws in Oregon and Texas, we can now piece together a more comprehensive view of this largely opaque industry.

We systematically collected and analyzed registration data from five state registries in April 2025, identifying 750 unique data broker groups operating across the country. This database consolidates registration information from:

California Privacy Protection Agency (current Delete Act registry)
California Attorney General (legacy registry, 2019-2024)
Vermont Secretary of State (2019-present)
Texas Secretary of State (2024-present)
Oregon Department of Financial Regulation (2024-present)

You can use this database to:

Search data brokers by name or data collection practices
Compare what companies disclose to different state regulators
Find contact information for privacy deletion requests
Research industry compliance patterns across states

Our thanks to the Electronic Frontier Foundation and the Harvard Law School Cyberlaw Clinic for their collaboration on this project.

Takeaways of this research

New data broker transparency laws are an essential first step to reining in the data broker industry. This is an ecosystem in which your personal data taken from apps and other web services can be bought and sold largely without your knowledge. The data can be highly sensitive like location information, and can be used to target you with ads, discriminate against you, and even enhance government surveillance. The widespread sharing of this data makes us more susceptible to data breaches. And its easy availability allows it to be used by bad actors for phishing, harassment, or stalking.

Consumers need robust deletion mechanisms to remove their data from these platforms. But the potential registration gaps we identified threaten to undermine such tools. California’s Delete Act will soon provide consumers with an easy tool to delete their data held by brokers—but it can only work if brokers register. California has already brought a handful of enforcement actions against brokers who failed to register under that law, and such compliance efforts are becoming even more critical as deletion mechanisms come online.

It is important to understand the scope of our analysis.

This analysis only includes companies that registered at least once in at least one state. It does not capture data brokers that completely disregard state laws by failing to register in any state. A total of 750 data brokers have registered in at least one state. While harder to find, shady data brokers who have failed to register anywhere should remain a primary enforcement target.

This analysis also does not claim or prove that any of the data brokers we found broke the law. While the definition of “data broker” is similar across states, there are variations that could require company to register in one state and not another. To take one example, a data broker registered in Texas that only brokers the data of Texas residents would not be legally required to register in California. To take another, a data broker that registered with Vermont in 2020 that then changed its business model and is no longer a broker, would not be required to register in 2025. More detail on variations in data broker laws is outlined in our letters to regulators. This analysis reflects a snapshot of the registries from early April 2025. Since then, California's data broker registry alone has grown by nearly 100 registrations to 522 as of publication.

States should investigate compliance with data broker registration requirements, enforce their laws, and plug any loopholes. Ultimately, consumers deserve protections regardless of where they reside, and Congress should also work to pass baseline federal data broker legislation that minimizes collection and includes strict use and disclosure limits, transparency obligations, and consumer rights.

Enforcement Update

Since we published these findings, CalPrivacy has taken action against multiple unregistered data brokers:

Background Alert was ordered to shut down through 2028 or pay $50,000
Accurate Append paid $55,400
ROR Partners paid $56,600 for profiling 262 million Americans without registering
Datamasters paid $45,000 and was ordered to stop selling Californians' data

In November 2025, CalPrivacy launched a Data Broker Enforcement Strike Force to investigate the industry more systematically.

Delete Your Information from Data Brokers

Deleting your information from data brokers can be a difficult task, but California residents can now request deletion from every registered data broker through a single free mechanism: the Delete Request and Opt-Out Platform (DROP), launched January 1, 2026 under California's Delete Act.

For more information on data brokers, DROP, how it works, and options for non-Californians, see our guide to deleting your information from data brokers.