delist.ai

What the law actually gives you: data broker rights by state

10 min read | March 2026 | Covers all 50 states

3D relief map of the United States

Data brokers collect, aggregate, and sell your personal information — name, address, phone, email, age, employment history, and more — without ever telling you. The US legal landscape is a patchwork: a handful of states give you real rights; most have nothing specific to brokers at all.

This guide covers the federal baseline (and its gaps), which states give you meaningful rights, and exactly how to use those rights when they apply to you.

Federal law: the baseline (and its gaps)

There is no comprehensive federal law that regulates data brokers. Instead, federal privacy protections are sector-specific and narrow:

  • Fair Credit Reporting Act (FCRA) — Regulates consumer reporting agencies when data is used for credit, employment, or insurance decisions. Does not cover data brokers selling information for marketing, general lookup, or people-search purposes.
  • Children's Online Privacy Protection Act (COPPA) — Protects children under 13 from online data collection. Does not apply to offline data or information about adults.
  • Gramm-Leach-Bliley Act (GLBA) — Requires financial institutions to explain data-sharing practices. Only covers financial data held by financial institutions, not third-party brokers.
  • Health Insurance Portability and Accountability Act (HIPAA) — Protects health information held by covered entities (hospitals, insurers, providers). Data brokers selling health-adjacent data (pharmacy purchases, fitness app data) fall outside HIPAA's reach.
The critical gap: General-purpose data brokerage — where people-search sites and data brokers collect and sell your personal information to anyone willing to pay — is not covered by any federal law. Your protections depend entirely on which state you live in.

Most relevant if this is you:Privacy for attorneys and legal professionals

State-by-state summary table

The table below covers every state that has enacted meaningful privacy legislation affecting data brokers as of March 2026. States not listed have no specific data broker law — residents there have no state-level right to demand brokers delete their information.

State Data Broker Registry? Opt-Out Rights? Deletion Rights? Private Right of Action? Key Law
California Yes Yes Yes Yes CCPA / CPRA (2018/2020)
Vermont Yes No No No H.764 (2018)
Texas Yes Yes Yes No TDPSA (2023)
Oregon Yes Yes Yes No OCPA (2023)
Colorado No Yes Yes No CPA (2021)
Virginia No Yes Yes No VCDPA (2021)
Connecticut No Yes Yes No CTDPA (2022)
New Jersey No Yes Yes Limited NJ SB 332 (2024)
Delaware No Yes Yes No DPDPA (2023)
Montana No Yes Yes No MCDPA (2023)
Iowa No Yes Yes No SF 262 (2023)
Tennessee No Yes Yes No TIPA (2023)
Indiana No Yes Yes No SB 5 (2023)
New Hampshire No Yes Yes No SB 255 (2024)
Minnesota No Yes Yes Limited MN Consumer Data Privacy Act (2024)
Maryland No Yes Yes No MODPA (2024)
Nebraska No Yes Yes No Nebraska Data Privacy Act (2024)

States with no specific data broker law: Alabama, Alaska, Arizona, Arkansas, Florida, Georgia, Hawaii, Idaho, Illinois (has BIPA for biometrics only), Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Mississippi, Missouri, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Utah, Washington, West Virginia, Wisconsin, Wyoming. Residents of these states currently have no state-level right to demand data brokers delete their information.

Deep dives on key states

California (CCPA / CPRA)

California's privacy framework is the most comprehensive in the country and the closest thing to a European-style data protection regime. The California Consumer Privacy Act (2018), amended significantly by the California Privacy Rights Act (2020), gives residents sweeping control over their personal data.

Data Broker Registry: Under Cal. Civ. Code Section 1798.99.80, data brokers must register with the California Attorney General and pay an annual fee. The registry is publicly searchable at the AG's website. As of early 2026, over 500 companies are registered.

Consumer Rights:

  • Right to Know — You can request the specific categories and pieces of personal information a company has collected about you.
  • Right to Delete — You can demand deletion of personal information collected from you, with limited exceptions (ongoing transactions, security, legal obligations).
  • Right to Opt Out — You can direct a business to stop selling or sharing your personal information. Businesses must honor Global Privacy Control (GPC) browser signals.
  • Right to Correct — Added by CPRA, you can request correction of inaccurate personal information.
  • Private Right of Action — Consumers can sue for statutory damages ($100–$750 per incident) in the event of a data breach resulting from a company's failure to implement reasonable security. For non-breach violations, enforcement is through the California Privacy Protection Agency (CPPA).

Enforcement: The CPPA has been actively enforcing CCPA since July 2023. Notable enforcement actions have targeted data brokers for failure to honor removal requests and for inadequate data broker registration.

Vermont

Vermont was the first state to pass a data broker registration law in 2018 (H.764). While pioneering, the law is narrower than what followed in California.

What it requires: Companies that knowingly collect and sell the personal information of consumers with whom they do not have a direct relationship must register annually with the Vermont Secretary of State. The registry is public.

What it lacks: The law does not give Vermont residents a right to opt out or a right to delete data. It does not provide a private right of action. Its primary value is transparency — it forces data brokers to publicly identify themselves and disclose their practices. Vermont updated its privacy framework in 2024 with a broader consumer privacy bill, but the data broker registry remains its most distinctive contribution.

Texas (TDPSA)

The Texas Data Privacy and Security Act, enacted in 2023 and effective July 2024, is notable for its breadth. Unlike most state privacy laws that exempt small businesses, the TDPSA applies to any entity that conducts business in Texas or produces goods/services consumed by Texas residents and processes personal data — with no revenue or data volume threshold.

Key provisions:

  • Data broker registration requirement with the Texas Secretary of State (effective September 2024)
  • Consumer rights to access, correct, delete, and port personal data
  • Right to opt out of the sale of personal data, targeted advertising, and profiling
  • Companies must conduct data protection assessments for high-risk processing activities
  • 60-day cure period for violations, after which the AG can impose fines up to $7,500 per violation

Enforcement: AG-only enforcement. No private right of action. The broad applicability (no business size exemption) makes this law significant despite the lack of individual lawsuit rights.

Colorado (CPA)

The Colorado Privacy Act, effective July 2023, introduced one of the most consumer-friendly mechanisms in the country: a universal opt-out mechanism.

Universal Opt-Out: Starting July 2024, businesses must honor universal opt-out signals (like Global Privacy Control). This means Colorado residents can set their browser or device to automatically opt out of data sales across every website they visit, rather than submitting individual requests to each data broker.

Other rights: Access, correction, deletion, data portability, and the right to opt out of targeted advertising and profiling. Colorado's 60-day cure period sunsets in 2025, after which the AG can pursue violations immediately.

No data broker registry and no private right of action. Enforcement is through the AG's office exclusively.

Virginia (VCDPA)

The Virginia Consumer Data Protection Act, effective January 2023, was the second comprehensive state privacy law after California. It was crafted with significant industry input, and that shows in its enforcement structure.

Consumer rights: Access, deletion, correction, data portability, and opt-out of sale, targeted advertising, and profiling. Businesses have 45 days to respond to consumer requests.

Limitations: No data broker registry. No private right of action — only the AG can enforce. The law includes a 30-day cure period (no sunset), meaning businesses always get a chance to fix violations before facing penalties. Applies only to entities that control or process data of at least 100,000 consumers, or derive over 50% of revenue from selling data of at least 25,000 consumers.

Connecticut (CTDPA)

Connecticut's Data Privacy Act, effective July 2023, closely mirrors Virginia's framework but with a broader scope and stronger consumer protections in several areas.

What sets it apart:

  • Recognizes Global Privacy Control as a valid universal opt-out signal (like Colorado)
  • Covers nonprofit organizations (most state privacy laws exempt nonprofits)
  • The cure period (60 days initially) sunsets in December 2024, giving the AG direct enforcement power
  • Includes protections for children aged 13–16, requiring opt-in consent for data processing

Like Virginia, Connecticut has no data broker registry and no private right of action.

Oregon (OCPA)

The Oregon Consumer Privacy Act, effective July 2024, stands out for requiring a data broker registry — one of only four states (alongside California, Vermont, and Texas) to do so.

Notable provisions:

  • Data broker registration with the Oregon Department of Consumer and Business Services
  • Consumer rights to access, delete, correct, and port data, plus opt-out of sale and targeted advertising
  • Applies to nonprofits (unlike most state laws)
  • No revenue threshold for data broker registration — any entity that meets the definition must register
  • 45-day response window for consumer requests, extendable by 45 days with notice

Enforcement: AG-only. No private right of action. 30-day cure period (sunsets January 2026).

New Jersey (SB 332)

New Jersey's comprehensive privacy law, signed in January 2024 and effective January 2025, is among the most recent additions to the state privacy landscape.

Key provisions:

  • Consumer rights to access, delete, correct, and port personal data
  • Right to opt out of sale, targeted advertising, and profiling
  • Requires recognition of universal opt-out mechanisms
  • Heightened protections for sensitive data, including precise geolocation and health information
  • Limited private right of action for data breach scenarios, with potential for statutory damages
  • No data broker registry requirement

New Jersey's law applies to entities that control or process data of at least 100,000 consumers, or 25,000 consumers if they derive revenue from selling data. The AG handles enforcement for most violations.

Wondering how exposed you are? Delist scans the data broker ecosystem and shows exactly where your personal information appears — before you start submitting requests.

Check your exposure free

Exercising your CCPA deletion rights: step by step

California's CCPA gives you the strongest individual tools available under US law for removing your data from brokers. Here is exactly how to use them:

  1. Identify the brokers holding your data. Run a scan with a tool like Delist.ai to see which data brokers have your personal information indexed. Note each broker's name and the specific data they hold.
  2. Locate each broker's privacy page. Under CCPA, data brokers must provide a "Do Not Sell My Personal Information" link on their website. This is typically found in the footer or privacy policy page.
  3. Submit a verifiable consumer request. Send a deletion request through the broker's designated channel (web form, email, or toll-free number). You must provide enough information for the broker to verify your identity — typically your name, email, and state of residence.
  4. Use the template language below. A clear, specific request citing CCPA gets faster results than a vague email.
  5. Track the 45-day response deadline. Under CCPA, brokers must acknowledge your request within 10 business days and complete the deletion within 45 calendar days. They may extend this by an additional 45 days with written notice.
  6. Escalate if needed. If a broker fails to respond or refuses without a valid exemption, you can file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

CCPA deletion request template

Subject: CCPA Deletion Request — [Your Full Name] To Whom It May Concern: Pursuant to the California Consumer Privacy Act (Cal. Civ. Code Section 1798.105), I am requesting the deletion of all personal information your company has collected about me. Full Name: [Your Name] Email Address: [Your Email] State of Residence: California Additional Identifying Information: [City, phone, or other details the broker may have on file] I understand you must verify my identity before processing this request. Please let me know what additional verification you require. Under CCPA, you are required to acknowledge this request within 10 business days and complete the deletion within 45 calendar days. Thank you for your prompt attention to this matter. [Your Name] [Date]
Not a California resident? Many data brokers honor CCPA-style deletion requests from all US residents, because it is operationally simpler than maintaining separate state-by-state systems. It is always worth submitting a request even without a state law behind you — you may get your data removed. The difference: if a broker ignores you, you have no legal recourse.

The federal law that may be coming

The American Privacy Rights Act (APRA) represents the most serious attempt at comprehensive federal privacy legislation to date. First introduced in the 118th Congress (2024) with bipartisan support, the bill has been reintroduced in 2025 with revisions.

What APRA would change:

  • National data broker registry — The FTC would maintain a centralized, searchable registry of all data brokers operating in the US, replacing the current patchwork of state registries.
  • Universal opt-out and deletion rights — All Americans would have the right to opt out of data sales and request deletion, regardless of state. Data brokers would be required to honor universal opt-out signals.
  • Data minimization — Companies could only collect and retain data that is "reasonably necessary" for the service being provided. This would fundamentally challenge the data broker business model.
  • Private right of action — Individuals could sue companies for violations, with statutory damages. This is the provision most fiercely contested by industry lobbyists.
  • Preemption — APRA would preempt most state privacy laws, creating a single national standard. California has opposed preemption, arguing it would weaken CCPA protections.

Current status (March 2026): APRA passed the House Energy and Commerce Committee in 2024 but stalled before a full floor vote. The reintroduced version faces similar headwinds: disagreement over preemption scope, private right of action, and FTC enforcement authority. Industry groups continue to lobby for weaker provisions. Consumer advocates argue the bill doesn't go far enough in its current form.

Until APRA or something like it passes, your privacy rights are determined entirely by where you live — and in most states, that means you have very few rights at all. In the meantime, submitting removal requests directly to data brokers remains your most reliable path, with or without a law requiring them to comply.

Frequently asked questions

Can I remove my data from brokers if my state has no privacy law?

Yes, in many cases. Most major data brokers offer opt-out processes to all US residents, regardless of state law. They do this partly because it is easier to maintain one process nationwide, and partly because they operate in California and must comply with CCPA anyway. Submit removal requests directly on each broker's website. The key difference: without a state law backing you, you have no legal recourse if the broker ignores your request.

What is a data broker registry, and why does it matter?

A data broker registry is a public list, maintained by a state government, of companies that collect and sell consumer data without a direct relationship with those consumers. Registries matter because they force data brokers to identify themselves publicly. Without a registry, you may not even know which companies have your data. California, Vermont, Texas, and Oregon currently maintain registries.

What is the difference between "opt-out rights" and "deletion rights"?

Opt-out rights let you tell a company to stop selling your data going forward. Your data may still exist in their systems — they just cannot sell it to new buyers. Deletion rights go further: you can demand the company erase your personal information entirely from their databases. For data privacy removal, you want both: opt-out to stop the bleeding, and deletion to remove what is already there.

What does "private right of action" mean?

A private right of action means you can sue a company directly for violating the law, without waiting for a government agency to act on your behalf. Most state privacy laws only allow enforcement by the state Attorney General, which means violations go unpunished unless the AG decides to prioritize your complaint. California's CCPA is the strongest in this regard, allowing consumers to sue for data breaches with statutory damages of $100–$750 per incident.

Do data brokers actually comply with deletion requests?

Compliance varies widely. Larger, better-known data brokers generally process deletion requests within 30–45 days, especially for California residents. Smaller or less scrupulous brokers may ignore requests, delay indefinitely, or re-add your data from public records within months. This is why ongoing monitoring matters — a one-time deletion request is rarely permanent.

How long does data privacy removal take?

Under CCPA, brokers have 45 calendar days to process a deletion request (extendable by 45 days with notice). In practice, most brokers complete removal within 2–4 weeks. However, your data may reappear within 3–6 months as brokers re-aggregate from public records, voter rolls, property records, and other sources. Continuous monitoring and re-submission of removal requests is the only reliable way to keep your data off broker sites long-term.

See where your personal information is exposed

Delist removes your personal information from the internet. Start with a free scan to see exactly which data brokers have you on file — then we handle the removals.

Start your free scan

Related