The short answer

Yes, data brokering is mostly legal in the US. No federal law prohibits collecting, aggregating, or selling personal information. Spokeo, Whitepages, and Radaris operate lawfully by compiling data from public records, social media, and commercial sources, then selling access.

The legal foundation: if information is already public — court records, property filings, voter registrations, your own social posts — aggregating it into a searchable profile is generally protected. Courts have held there is no privacy interest in information you have already made public, even when it is combined in ways you never anticipated.

But "mostly legal" is doing a lot of work. The exceptions matter, the gray areas are expanding, and the rules are shifting faster than at any point in the industry's history.

Why data brokering is legal

The data broker industry exists in a regulatory vacuum that is partly historical accident and partly constitutional design.

The public records doctrine. American law has long held that government records are public by default — court filings, property deeds, marriage licenses, voter registrations, business incorporations. Data brokers digitize and index these records, making searchable what was already accessible to anyone willing to visit a county clerk's office. Arguments to ban that run headfirst into a long tradition of open government.

First Amendment protection. Data brokers frame their work as speech: collecting facts and publishing them. The Supreme Court has held that truthful information, lawfully obtained, receives First Amendment protection. In Sorrell v. IMS Health (2011), the Court struck down a Vermont law restricting the sale of prescriber data, reinforcing that the sale of information is protected expression. Brokers cite this case frequently, and not without basis.

No comprehensive federal privacy law. The European Union has the GDPR. Canada has PIPEDA. Brazil has the LGPD. The United States has nothing comparable. Instead, American privacy law is a patchwork of sector-specific statutes, each covering a narrow category of data. If your information does not fall into one of those protected categories, there is no federal law preventing its sale.

The core legal argument data brokers make is simple: they are not creating new information. They are organizing information that is already available to the public. Whether that argument holds up against the reality of what modern data aggregation enables is one of the defining legal questions of our time.

The legal carve-outs

While no federal law covers data brokering generally, several laws restrict the collection and sale of specific types of personal data. These carve-outs are narrow but carry real consequences when violated.

  • Health data (HIPAA). The Health Insurance Portability and Accountability Act restricts how healthcare providers, insurers, and their business associates handle protected health information. A hospital cannot sell your medical records to a data broker. However, HIPAA only covers "covered entities" -- health data collected by apps, wearables, or purchased from non-medical sources often falls outside its scope.
  • Children's data (COPPA). The Children's Online Privacy Protection Act prohibits the collection of personal information from children under 13 without verifiable parental consent. Data brokers that knowingly include children's data in their databases are in violation. The FTC has brought multiple enforcement actions under COPPA, including against companies that scraped data from platforms with significant child user bases.
  • Credit data (FCRA). The Fair Credit Reporting Act regulates "consumer reporting agencies" -- companies that compile information used for credit decisions, employment screening, tenant screening, or insurance underwriting. If a data broker sells information used for any of these "permissible purposes," it must comply with FCRA requirements: accuracy standards, dispute resolution, and limits on who can access the data. This is the carve-out that data brokers most frequently run afoul of.
  • Financial data (GLBA). The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices and to protect sensitive customer data. It restricts the sale of financial information like account numbers, balances, and transaction histories. However, it applies to financial institutions, not to data brokers who obtain financial data through other channels.

These laws protect important categories of information. But they leave the vast majority of personal data -- your name, address, phone number, age, relatives, employment history, property records -- entirely unregulated at the federal level.

The gray areas

The most consequential legal battles in data brokering are not about clearly illegal conduct. They are about activity that falls into gray areas where the law has not yet caught up.

Non-FCRA data used for FCRA purposes. A broker can legally sell a background report that includes name, address, and criminal history — as long as the buyer does not use it for a credit, employment, or housing decision. The distinction is almost impossible to enforce. Landlords, small employers, and individuals routinely buy people-search reports and use them for exactly those purposes. The broker disclaims FCRA in their terms. The buyer ignores it. The subject has no way to prove what happened.

Selling to known bad actors. Brokers are not generally required to vet customers. But when a broker has reason to know a buyer intends to use data for stalking, harassment, or fraud, continuing to sell creates liability under state tort law and, in some cases, federal anti-stalking statutes. The FTC has argued in multiple enforcement actions that brokers who fail to screen out obviously harmful use cases are engaging in unfair business practices.

Data that enables discrimination. Selling profiles tagged with race, ethnicity, religion, or national origin — often inferred from name, address, or purchasing behavior — creates infrastructure for discriminatory targeting. The sale may be legal; using the data to discriminate in housing, employment, or credit is not. Whether a broker bears responsibility for foreseeable misuse remains unsettled.

State registration requirements are another emerging gray area. At least 15 states now require data brokers to register with a state authority and disclose their practices. California, Vermont, Texas, and Oregon have the most established registries. Brokers who fail to register can face fines of $100 to $10,000 per day. Many smaller brokers either do not know about these requirements or choose to ignore them.

Wondering how exposed you are? Delist.ai scans for your exposure and shows exactly where your personal information appears.

Check your exposure free

Active litigation and enforcement

Enforcement has shifted dramatically since 2023. Regulators who spent years studying the data broker industry are now bringing cases.

FTC enforcement. The FTC has brought actions against several brokers under its authority over unfair and deceptive practices. In 2024, the agency took action against X-Mode Social (now Outlogic) for selling precise location data that could be used to track visits to medical facilities and places of worship. It has also targeted people-search sites marketed as FCRA-compliant without meeting the statute's accuracy and dispute requirements.

State attorney general actions. Texas filed a landmark suit against Allstate's data subsidiary Arity in 2024, alleging the company collected driving data from 45 million Americans through mobile apps without adequate consent. California's AG has pursued CCPA enforcement, which gives residents the right to opt out of data sales. Oregon, Connecticut, and New Jersey have opened investigations against brokers operating without required state registrations.

Class action lawsuits. Private litigation has grown, though outcomes are mixed. Cases typically allege FCRA violations (for brokers functioning as de facto consumer reporting agencies), state consumer protection violations, or state biometric privacy violations. Illinois's BIPA has produced the largest settlements, though most data brokers do not collect biometric data directly.

The pattern in enforcement is the same: regulators or plaintiffs argue a broker's actual business practices are more harmful than its disclaimers suggest. Claims that they are not consumer reporting agencies, that data is "for informational purposes only," or that buyers are responsible for compliance — these disclaimers are increasingly being tested against what actually happens when the data is sold.

The constitutional tension

At the heart of the data brokering debate is a tension that American law has not resolved: your privacy interest versus the First Amendment's protection of information.

Individual public records are largely harmless alone. Your property deed sits at the county office. Your voter registration is public. Your court filing is accessible. Each fact standing alone presents minimal risk. The aggregation problem starts when one company combines hundreds of these points into a profile that reveals your daily patterns, finances, relationships, and location.

This is the "mosaic theory" of privacy — individually innocuous data points become surveillance-grade information when combined. The Supreme Court touched on this in Carpenter v. United States (2018), holding that long-term cell-phone location tracking constitutes a Fourth Amendment search, even though individual location points are not protected. But Carpenter applied to government surveillance, not commercial data.

Courts have not extended this reasoning to data brokers. Does the First Amendment protect compiling and selling a dossier on any American citizen, assembled from hundreds of public and commercial sources, available to anyone for a few dollars? The constitutional answer is genuinely uncertain. Lower courts have split, and the Supreme Court has not addressed it directly.

The aggregation problem in practice: your home address in a county filing is public. Your phone number in a business directory is public. Your employer on LinkedIn is public. But a single page that shows all three, alongside your relatives' names and your estimated income, creates something qualitatively different from any of its inputs. The law has not yet decided what to do about that difference.

Where the law is heading

The regulatory trajectory is clear, even if the timeline is not. Data brokering is becoming more regulated at every level of government.

State momentum. The most significant action is at the state level. California's CCPA and CPRA give residents the right to know, delete, and opt out of data sales. As of early 2026, at least 19 states have enacted comprehensive privacy laws, most including broker registration and consumer opt-out rights. Vermont pioneered broker registration in 2019; California, Texas, and Oregon now have the most expansive requirements.

Federal proposals. Multiple bills have been introduced in Congress, including the American Data Privacy and Protection Act (ADPPA), which would set national data minimization standards and create a private right of action. None have passed as of early 2026. Industry lobbying is intense, and federal-preemption disputes have stalled negotiations. The direction of travel is toward a federal baseline. The question is when, not whether.

The EU comparison. Under GDPR, brokers must have a lawful basis for processing personal data — typically consent or a legitimate interest that does not override the individual's rights. In practice, most US people-search business models would be illegal in Europe. EU regulators have fined data companies hundreds of millions of euros. The American model of "collect everything, let consumers opt out" is the inverse of Europe's "collect nothing unless justified." The gap is narrowing, but slowly.

The practical reality for Americans today: data brokering is legal, your information is being sold, and your primary recourse is to remove yourself from each broker individually. The law may eventually catch up. Until it does, the burden falls on you.