Data brokers collect, aggregate, and sell your personal information — your name, address, phone number, email, age, employment history, and sometimes much more. In the United States, the legal landscape governing these companies is a patchwork: a handful of states have passed strong privacy laws, while the majority still have no specific data broker regulations at all.
This guide breaks down what protections exist at the federal level, which states give you meaningful rights over your data, and exactly how to exercise those rights when they apply to you.
There is no comprehensive federal law that regulates data brokers. Instead, federal privacy protections are sector-specific and narrow:
The following table covers every state that has enacted meaningful privacy legislation affecting data brokers. States not listed have no specific data broker law or comprehensive privacy statute as of March 2026.
| State | Data Broker Registry? | Opt-Out Rights? | Deletion Rights? | Private Right of Action? | Key Law |
|---|---|---|---|---|---|
| California | Yes | Yes | Yes | Yes | CCPA / CPRA (2018/2020) |
| Vermont | Yes | No | No | No | H.764 (2018) |
| Texas | Yes | Yes | Yes | No | TDPSA (2023) |
| Oregon | Yes | Yes | Yes | No | OCPA (2023) |
| Colorado | No | Yes | Yes | No | CPA (2021) |
| Virginia | No | Yes | Yes | No | VCDPA (2021) |
| Connecticut | No | Yes | Yes | No | CTDPA (2022) |
| New Jersey | No | Yes | Yes | Limited | NJ SB 332 (2024) |
| Delaware | No | Yes | Yes | No | DPDPA (2023) |
| Montana | No | Yes | Yes | No | MCDPA (2023) |
| Iowa | No | Yes | Yes | No | SF 262 (2023) |
| Tennessee | No | Yes | Yes | No | TIPA (2023) |
| Indiana | No | Yes | Yes | No | SB 5 (2023) |
| New Hampshire | No | Yes | Yes | No | SB 255 (2024) |
| Minnesota | No | Yes | Yes | Limited | MN Consumer Data Privacy Act (2024) |
| Maryland | No | Yes | Yes | No | MODPA (2024) |
| Nebraska | No | Yes | Yes | No | Nebraska Data Privacy Act (2024) |
States with no specific data broker law: Alabama, Alaska, Arizona, Arkansas, Florida, Georgia, Hawaii, Idaho, Illinois (has BIPA for biometrics only), Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Mississippi, Missouri, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Utah, Washington, West Virginia, Wisconsin, Wyoming. Residents of these states currently have no state-level right to demand data brokers delete their information.
California's privacy framework is the most comprehensive in the country and the closest thing to a European-style data protection regime. The California Consumer Privacy Act (2018), amended significantly by the California Privacy Rights Act (2020), gives residents sweeping control over their personal data.
Data Broker Registry: Under Cal. Civ. Code Section 1798.99.80, data brokers must register with the California Attorney General and pay an annual fee. The registry is publicly searchable at the AG's website. As of early 2026, over 500 companies are registered.
Consumer Rights:
Enforcement: The CPPA has been actively enforcing CCPA since July 2023. Notable enforcement actions have targeted data brokers for failure to honor opt-out requests and for inadequate data broker registration.
Vermont was the first state to pass a data broker registration law in 2018 (H.764). While pioneering, the law is narrower than what followed in California.
What it requires: Companies that knowingly collect and sell the personal information of consumers with whom they do not have a direct relationship must register annually with the Vermont Secretary of State. The registry is public.
What it lacks: The law does not give Vermont residents a right to opt out or a right to delete data. It does not provide a private right of action. Its primary value is transparency — it forces data brokers to publicly identify themselves and disclose their practices. Vermont updated its privacy framework in 2024 with a broader consumer privacy bill, but the data broker registry remains its most distinctive contribution.
The Texas Data Privacy and Security Act, enacted in 2023 and effective July 2024, is notable for its breadth. Unlike most state privacy laws that exempt small businesses, the TDPSA applies to any entity that conducts business in Texas or produces goods/services consumed by Texas residents and processes personal data — with no revenue or data volume threshold.
Key provisions:
Enforcement: AG-only enforcement. No private right of action. The broad applicability (no business size exemption) makes this law significant despite the lack of individual lawsuit rights.
The Colorado Privacy Act, effective July 2023, introduced one of the most consumer-friendly mechanisms in the country: a universal opt-out mechanism.
Universal Opt-Out: Starting July 2024, businesses must honor universal opt-out signals (like Global Privacy Control). This means Colorado residents can set their browser or device to automatically opt out of data sales across every website they visit, rather than submitting individual requests to each data broker.
Other rights: Access, correction, deletion, data portability, and the right to opt out of targeted advertising and profiling. Colorado's 60-day cure period sunsets in 2025, after which the AG can pursue violations immediately.
No data broker registry and no private right of action. Enforcement is through the AG's office exclusively.
The Virginia Consumer Data Protection Act, effective January 2023, was the second comprehensive state privacy law after California. It was crafted with significant industry input, and that shows in its enforcement structure.
Consumer rights: Access, deletion, correction, data portability, and opt-out of sale, targeted advertising, and profiling. Businesses have 45 days to respond to consumer requests.
Limitations: No data broker registry. No private right of action — only the AG can enforce. The law includes a 30-day cure period (no sunset), meaning businesses always get a chance to fix violations before facing penalties. Applies only to entities that control or process data of at least 100,000 consumers, or derive over 50% of revenue from selling data of at least 25,000 consumers.
Connecticut's Data Privacy Act, effective July 2023, closely mirrors Virginia's framework but with a broader scope and stronger consumer protections in several areas.
What sets it apart:
Like Virginia, Connecticut has no data broker registry and no private right of action.
The Oregon Consumer Privacy Act, effective July 2024, stands out for requiring a data broker registry — one of only four states (alongside California, Vermont, and Texas) to do so.
Notable provisions:
Enforcement: AG-only. No private right of action. 30-day cure period (sunsets January 2026).
New Jersey's comprehensive privacy law, signed in January 2024 and effective January 2025, is among the most recent additions to the state privacy landscape.
Key provisions:
New Jersey's law applies to entities that control or process data of at least 100,000 consumers, or 25,000 consumers if they derive revenue from selling data. The AG handles enforcement for most violations.
Wondering how exposed you are? Delist.ai scans 1,000+ data broker sites and shows exactly where your personal information appears.
Check your exposure free →California's CCPA provides the strongest tools for removing your data from brokers. Here is exactly how to use them:
The American Privacy Rights Act (APRA) represents the most serious attempt at comprehensive federal privacy legislation to date. First introduced in the 118th Congress (2024) with bipartisan support, the bill has been reintroduced in 2025 with revisions.
What APRA would change:
Current status (March 2026): APRA passed the House Energy and Commerce Committee in 2024 but stalled before a full floor vote. The reintroduced version faces similar headwinds: disagreement over preemption scope, private right of action, and FTC enforcement authority. Industry groups continue to lobby for weaker provisions. Consumer advocates argue the bill doesn't go far enough in its current form.
Until APRA or a similar bill passes, your privacy rights remain determined by your state of residence — and in most states, that means you have very few rights at all.
Yes, in many cases. Most major data brokers offer opt-out processes to all US residents, regardless of state law. They do this partly because it is easier to maintain one process nationwide, and partly because they operate in California and must comply with CCPA anyway. Submit opt-out requests directly on each broker's website. The key difference: without a state law backing you, you have no legal recourse if the broker ignores your request.
A data broker registry is a public list, maintained by a state government, of companies that collect and sell consumer data without a direct relationship with those consumers. Registries matter because they force data brokers to identify themselves publicly. Without a registry, you may not even know which companies have your data. California, Vermont, Texas, and Oregon currently maintain registries.
Opt-out rights let you tell a company to stop selling your data going forward. Your data may still exist in their systems — they just cannot sell it to new buyers. Deletion rights go further: you can demand the company erase your personal information entirely from their databases. For data broker removal, you want both: opt-out to stop the bleeding, and deletion to remove what is already there.
A private right of action means you can sue a company directly for violating the law, without waiting for a government agency to act on your behalf. Most state privacy laws only allow enforcement by the state Attorney General, which means violations go unpunished unless the AG decides to prioritize your complaint. California's CCPA is the strongest in this regard, allowing consumers to sue for data breaches with statutory damages of $100–$750 per incident.
Compliance varies widely. Large, well-known brokers (Spokeo, Whitepages, BeenVerified) generally process deletion requests within 30–45 days, especially for California residents. Smaller or less scrupulous brokers may ignore requests, delay indefinitely, or re-add your data from public records within months. This is why ongoing monitoring is important — a one-time deletion request is rarely permanent.
Under CCPA, brokers have 45 calendar days to process a deletion request (extendable by 45 days with notice). In practice, most brokers complete removal within 2–4 weeks. However, your data may reappear within 3–6 months as brokers re-aggregate from public records, voter rolls, property records, and other sources. Continuous monitoring and re-submission of removal requests is the only reliable way to keep your data off broker sites long-term.
Scan 1,000+ data broker sites in minutes. See exactly what personal information is exposed and where.
Scan Now — Free