Registered Data Brokers in the United States

Using data available in state data broker registries, this report presents information on 540 unique registered data brokers and their

  • privacy policies
  • practices
  • areas of possible noncompliance

Background

Data brokers are businesses that collect individuals’ personal information and resell or share that information with third parties.1 For more than a decade, privacy and consumer advocates have raised concerns around the largely unregulated industry.2 This is due both to the nature and opacity of the industry. Data brokers rarely have direct contact with the people whose information they collect and share or resell, and people are generally unaware of their existence or data practices.3 The Federal Trade Commission and Government Accountability Office have published reports on the industry,4 and federal legislation has been introduced without success.5

Vermont (in 2018) and California (in 2019) enacted the first laws creating data broker registries to both shine a light on the data broker industry and better enable individuals to exercise privacy rights.6 Vermont’s data broker registration law was introduced in response to the Equifax data breach and went into full effect in 2019.7 California passed the nation’s second registration law in 2019, requiring data brokers to register with the Office of the Attorney General by the end of January 2020.8 Other states—including Maine and New York—have seen unsuccessful legislative efforts to pass similar laws.9

Data Broker Law Overviews

Vermont

The Vermont statute defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”10 Under the statute, a data broker is required to register with the Secretary of State, pay a $100.00 registration fee and provide

  • the name and primary physical, email and internet addresses of the data broker
  • (if the data broker permits a consumer to opt out of the data broker’s collection practices)
    • the method for requesting an opt out
    • the type of opt out (if the opt out applies to only certain activities or sales)
    • whether the data broker permits a consumer to authorize a third party to opt out on a consumer’s behalf
  • a statement specifying
    • the data collection, databases or sales activities from which a consumer may not opt out
    • whether the data broker implements a purchaser credentialing process11
  • any information the data broker has about security breaches it has experienced, including the number of
    • security breaches the data broker has experienced during the prior year
    • consumers affected by the breaches
  • a separate statement detailing the data collection practices, databases, sales activities and opt-out methods that are applicable to minors’ personal information (if the business has actual knowledge that it possesses the brokered personal information of minors)

If a data broker does not comply with the registration requirements, it is subject to a civil penalty of $50.00 per day, not to exceed $10,000 per year for each year it fails to register.

California

The California statute defines a data broker as “a business that knowingly collects and sells to third parties that personal information of a consumer with whom the business does not have a direct relationship.” California further distinguishes data brokers from the following categories of businesses:

  • a consumer reporting agency to extent that it is covered under the federal Fair Credit Reporting Act12
  • a financial institution to the extent that it is covered under the federal Gramm-Leach-Bliley Act and its implementing regulations13
  • an entity to the extent that it is covered by the California Insurance Information and Privacy Protection Act14

Data brokers are required to pay the registration fee required by the California Attorney General and provide

  • the data broker's name
  • the data broker's primary physical, email and web addresses
  • any additional information or explanation the data broker chooses to provide concerning its data practices

Under the statute, data brokers face penalties of $100 per day for failure to register on time and expenses incurred by the Attorney General‘s office for investigation and prosecution.15

Method

Data Collection and Processing

The first data set—consisting of the data broker registry from the Vermont Secretary of State—was obtained via web scraping during the summer of 2019.

The second data set—consisting of the data broker registries from the California Office of the Attorney General and Vermont Secretary of State—was obtained via direct download (California) and web scraping (Vermont)16 on July 1, 2021.

After compiling data from the two state registries, the data was

  • incorporated with Privacy Rights Clearinghouse's (now archived) Online Data Vendor List—a list of 180 data brokers collected prior to the enactment of the registration laws in Vermont or California
  • scanned to identify and eliminate duplicate entries

 

Type of Broker Classification

Based on the 2014 Federal Trade Commission report and industry trends, the individual registered data broker’s websites were surveyed and classified into one of four primary service categories*—recognizing that there may be crossover in some areas.19

If the classification was unclear, we classified it as such.

 

Categories*

Financial, Fraud Detection, Risk Mitigation

These businesses may compile consumer reports that are used to determine credit worthiness. They may also provide identity verification, fraud detection and risk mitigation services. Some data brokers falling under this category are required to comply with the federal Fair Credit Reporting Act. 

Health

These businesses compile and sell information that relates to a person’s health (e.g. any over-the-counter medications a person has purchased or health-related search history).

Marketing

These businesses sell products that allow businesses to engage in targeted marketing. They often collect information through online tracking and may sell information such as

  • the types of ads a with which a person interacts
  • the time a person spends on specific websites
  • how a user interacts with a website
  • individual consumer profiles

People Search

These businesses compile personal information—often from public records and social media—to create reports or profiles. They typically allow users to search for specific individuals.

 

We acknowledge that these categorizations are subjective, and a business may engage in more than one function.

 

Data Points

Data Broker

Business name as it appears on the registration.

Registry

The state registry on which the business appears.

Status

The registration status of the business (current/possibly expired/unsure).

  • Vermont indicates the current registration status of the data brokers on its registry.
  • California status is unclear in the July 2021 publicly available data.

Email Address

The email address with which the business registered.

If the data broker did not provide an email, we added a contact email from their website.

Website URL

The website URL with which the business registered.

If it did not provide a website, an online search of the business name led to a website. 

Privacy Policy

A hyperlink to the privacy policy found on the business’ website. 

Physical Address

The physical address under which the business registered. 

CA Date Added

The California Attorney General Date Added spreadsheet column (California only).

VT Registration ID

The registration ID that Vermont assigns to all data brokers that register in the state (Vermont only).

Type of Broker

The assigned classification reflecting the type of data broker.

CA Opt Out

Whether the data broker provides an opt-out method specific to California residents under the California Consumer Privacy Act.

Non-CA Opt Out

Whether the data broker provides an opt-out method that can be used by non-California residents.

Opt-Out Medium

The type of opt out, if available (form, email, button, some combination of the previous, none).

CCPA Request Disclosure

Whether the data broker reports California Consumer Privacy Act requests.

Findings

Summary

  1. State data broker registries are increasing transparency around businesses that comprise the data broker industry in accordance with their legislative intent. 
  2. After two years of registration requirements, the percentage of registered data brokers providing marketing services increased by 22% while the percentage of those providing people search services declined by 35%.
  3. 25% (135) of the 540 individual data brokers were registered in both California and Vermont—indicating potential noncompliance with registration requirements in both states. 
  4. It is unclear (using publicly available registry data) whether California registrants are complying with yearly registration requirements. 
  5. Data brokers are offering more opt-out options to California residents and residents of other states than they did in 2019 (before the California Consumer Protection Act went into effect).

State Data Broker Registries Increasing Transparency

In 2018, prior to any data broker registration requirements, Privacy Rights Clearinghouse identified 180 possible data brokers through

  • independent research
  • individual complaints submitted to the organization
  • media monitoring over the course of more than a decade

When the Vermont registry data became available in 2019, a total of 238 data brokers were registered with the state.

In July 2021, there were a total of 792 registry entries across both states.

  • 444 in the California registry
  • 348 in the Vermont registry

Accounting for duplicate entries, in July 2021 there were a total of 540 unique businesses registered.

  • 297 only in the California registry
  • 108 only in the Vermont registry
  • 135 in both state registries

Without access to any research that studies or attempts to document the full scope of the data broker industry, it is not possible to comment on the extent to which the 540 unique businesses registered represent the larger industry. However, the increase in registered businesses during this two-year period does indicate the number of registered data brokers more than doubled and the laws are accomplishing the legislative intent of increasing transparency around the industry.

Data Brokers Providing Marketing Increased, People Search Declined

Prior to the 2019 registration requirements, most data brokers identified by Privacy Rights Clearinghouse would have been classified as people search—due, in large part, to their presence in online searches for a person’s name.

In 2019—when analyzed and classified—of the 238 registered data brokers in Vermont

  • 133 were people search (56%)
  • 64 were marketing (27%)
  • 41 were financial, health, other or unclear (17%)

In 2021—when the newly available California and updated Vermont registries were analyzed and classified—of the 540 unique data brokers

  • 113 were people search (21%)
  • 265 were marketing (49%)
  • 162 were financial, health, other or unclear (30%)

While the percentage of registered companies providing people search services declined during the two-year period, the percentage of registered companies providing marketing services increased by almost double.

Potential Noncompliance with Registration Requirements in Both States

Both California and Vermont law apply to businesses that collect personal information on their respective state’s residents—regardless of where the data broker is based or headquartered. In general, the industry is not geographically restricted.

In July 2021, of the 540 unique data brokers

  • 117 reported their primary place of business as a California or Vermont address (22%)
    • 113 in California
    • 4 in Vermont
  • 407 were headquartered in states other than California or Vermont (75%)
  • 16 were headquartered in countries other than the United States (3%)

Overall, the businesses were headquartered in 38 different states and 8 countries.

This demonstrates the need for a more in-depth look into the individual business practices of each data broker to determine the scope of noncompliance among data brokers registered in one state and not another. In the people search context, for instance, this could be accomplished by using the broker’s service to search for residents of the state from which the broker does not have an active registration.

Unclear Whether California Registrants are Complying with Requirements

Under California law, data brokers are required to register annually to maintain compliance, and the state Attorney General’s office is required to keep an updated online registry with the registration information provided.20 This information includes registration status.21

When attempting to analyze how many registered data brokers were up to date on their registrations, information was unclear. The downloadable spreadsheet on the California Attorney General’s website includes a column labeled date added22 (this column is not present in the online registry). It is unknown whether this column indicates the date the data broker registered or the date the data broker was added to the registry by the agency—which may or may not coincide with the date of registration.

If date added indicates the effective date of registration, each data broker’s registration would expire one year after that date23 and approximately 62% (276 of 444) of California registrations would have had an expired status when the data was collected on July 1, 2021. If date added does not reflect the effective date of registration, it is unclear how many businesses are not complying with the renewal requirements.

This could be clarified by

  • defining the date added field
  • adding registration status to the online registry (to indicate whether the business is up to date on its registration)

Data Brokers Offering More Opt-Out Options

In 2019, approximately 39% of data brokers registered in Vermont provided either a form or email for people to opt out of data collection.
In 2020, the California Consumer Privacy Act required data brokers to

  • include a clear and conspicuous Do Not Sell My Personal Information hyperlink on their website's homepage that directs the consumer to a webpage where they may opt out of the sale of their personal information
  • include a description of a consumer’s rights in its online privacy policy or its California-specific description of a consumer’s rights along with a hyperlink to the Do Not Sell My Personal Information webpage
  • refrain from selling the information of consumers who have opted out for twelve months before requesting the consumer to authorize the sale of their personal information
  • only use the personal information collected from the opt-out form to comply with the opt-out request

In July 2021, of the 540 unique data brokers

  • 447 included some form of California-specific opt-out method on their website* (83%)
  • 27 may have had a California-specific method, but either included a broken link to the opt-out webpage or referenced an opt-out right without providing any method of exercising that right (5%)
  • 248 offered an opt-out method for non-California residents (46%)
  • 94 had a vague policy regarding opt-out methods for non-California residents (17%)

This indicates that there has been a change in data broker opt-out options and privacy policies influenced, at least in part, by the California Consumer Privacy Act.

 

This subset of data brokers did not all have a Do Not Sell My Information hyperlink in a clear or conspicuous place on their website as the law requires. However, they did have a clear section in their privacy policy that directs California consumers to a process where they can opt out or exercise their rights under the California Consumer Privacy Act. 

Notes

  1. See Data Brokers: A Call for Transparency and Accountability, Federal Trade Commission, (2014).
  2. See e.g.
  3. See id. 
  4. See Federal Trade Commission Report and Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, United States Government Accountability Office Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate (2013).
  5. See e.g.
  6. See
  7. See Landen, Xander, Vermont’s New Data Broker Registry Sees Low Compliance, VT Digger, (Jul. 2019).
  8. See Cal.Civ.Code § 1798.99.80 (2020).
  9. See
    • An act to amend the general business law, in relation to requiring registration of data brokers and directing the attorney general to maintain a website of such registrations, S 6848 2019-2020 Legislative Session, (Nov. 2019) (Sen. Thomas introduced a bill that would require data brokers to register with the State Attorney General. This bill did not pass.);
    • An Act to Create a Data Broker Registry and Improve Consumer Protections, H.P. 1226, 130th Maine Legis. (May 2021) (Rep. O’Neil of Saco proposed legislation that would require data brokers [1] to register with the Secretary of State, [2] protect consumer’s personal information with various security measures, and [3] provide a mechanism for consumers to opt-out from the collection and sale of their personal data. This bill did not pass.).
  10. See 9 V.S.A. § 2430(4)(A).

  11. See Guidance on Vermont’s Act 171 of 2018 Data Broker Regulation, Vermont Office of the Attorney General, (Dec. 2018), (Purchaser Credentialing Process – “refers to the practice of taking reasonable steps to confirm that a data broker’s customers are who they say they are, will be using the data collected for the purposes that they say they will be using it for, and will not use the data for nefarious purposes” – this is in response to the instances of data brokers providing consumer information to scammers, identity thieves, and other criminals.”).

  12. See 15 U.S.C. § 1681 (Fair Credit Reporting Act).

  13. See Pub. L. 106-102 (Gramm-Leach-Bliley Act).

  14. See Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code.

  15. See 2021 Registration Information – Data Broker Registration, Office of the California Attorney General (The Attorney General sets a new registration fee every year [pursuant to 1798.99.82]. The registration fee cannot exceed the reasonable costs of establishing and maintaining the information internet website described 1798.99.82. The registration fee for 2021 was $400.00.).

  16. See

  17. See Privacy Rights Clearinghouse, Data Brokers.

  18. See Cal.Civ.Code 11 § 999.317 (g) (Under this section of the California Consumer Privacy Act, businesses that buy or sell the personal information of 10,000,000 or more consumers are required to disclose (1) the number of requests received to download, delete, and opt-out, and (2) the number of days the business took to respond. Businesses must ensure that employees who handle consumer personal information are aware of and comply with this requirement.).

  19. See

  20. See Cal. Civ. Code §1798.99.84 (2020).

  21. See Cal. Civ.Code §1798.99.82 (2020).

  22. See Download CSV, California Department of Justice - Office of the Attorney General (last visited Jan 25, 2022).

  23. See Cal.Civ.Code § 1798.99.82(a).

  24. See Cal.Civ.Code § 1798.135.

  25. We classified something as vague when it was unclear whether a non-California resident could use the California-specific method to opt-out.

Contributors

We thank Murzia Siddiqui—law student at Villanova University School of Law—for her significant contributions to this report as a 2021 legal intern. We also thank Aaron Crimmins—law student at California Western School of Law—for his foundational contributions to this report as a 2019 legal intern.