Data Brokers Face Rising Regulatory Pressure From States

Data brokers are facing heightened scrutiny at the state level. Several states are continuing to expand their data broker registration frameworks, enact substantive restrictions on certain categories of data sales, and pursue enforcement proceedings against companies.

Companies that generate revenue by aggregating, selling, licensing, or otherwise monetizing consumer data – regardless of how those activities are labeled internally – should carefully assess whether they fall within the scope of applicable state data broker frameworks. Below, we identify recent data broker developments that companies should be monitoring.

Data broker requirements are expanding, and failure to register as a data broker is a stand-alone enforcement hook.

Several states have data broker registration laws on the books – including California, Texas, Vermont, and Oregon. Most recently, Connecticut enacted a new data broker law that will require data broker registration, among other things, as of January 1, 2027. In addition to registration, data brokers are subject to expanding obligations, including new deletion requirements under California’s Delete Act and Connecticut’s new data broker law.

Under these laws, failure to register is an independent legal violation. Recent enforcement actions demonstrate that regulators do not need to show consumer harm to initiate investigations; non-registration alone may be sufficient. For example, last year, the California Privacy Protection Agency (CPPA) brought an enforcement action against a Florida-based broker for failing to register and pay an annual fee required by the California Delete Act.

The statutory definitions of “data broker” can be broad, often encompassing companies that collect personal information about consumers with whom they have no direct relationship and disclose or sell that information to third parties. Companies that have not conducted a formal data broker status assessment should treat that analysis as a near-term compliance priority, particularly given the expanding obligations and accelerating pace of enforcement.

Certain data sales are subject to strict prohibitions.

A growing number of states are prohibiting the sale of precise geolocation data. Most recently, Connecticut and Virginia amended their comprehensive privacy laws to prohibit the sale of precise geolocation, joining similar prohibitions in Maryland and Oregon. The Virginia prohibition will go into effect on July 1, 2026; the Connecticut prohibition will go into effect on October 1, 2026. These prohibitions represent a substantive departure from the notice-and-choice model that is typically found in state privacy law.

Similarly, there has been an ongoing trend to restrict or prohibit the sale of minors’ data. For example, under amendments to the Connecticut privacy law that are set to take effect on July 1, 2026, controllers subject to that law are prohibited from selling a consumer’s personal data “where a controller has actual knowledge, or willfully disregards, that the consumer is at least thirteen years of age but younger than eighteen years of age.” 

These trends signal a broader shift in policymaker interest in categorical restrictions on certain sensitive data practices, rather than reliance on notice and choice or a consent framework. Companies that sell, license, or otherwise monetize sensitive data should assess whether their practices comply with these state frameworks and monitor whether other states adopt similar prohibitions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.