Data Broker Rules from Regulators May Catch Businesses Off Guard

Recent legislative amendments and rulemaking have resulted in more companies qualifying as “data brokers,” expanding that term to reach companies that haven’t traditionally viewed themselves as operating in the data industry.

The new legislation and regulations now cover activities beyond the straightforward resale of personal data. Because registered data brokers face greater compliance obligations and heightened regulatory scrutiny, the changes are significant for companies that are now subject to these laws.

California, Oregon, Texas, and Vermont have enacted laws requiring entities that meet the laws’ definitions of “data brokers” to register with the state and meet certain other compliance obligations. Of these laws, California and Texas now define “data broker” most broadly.

California defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Under new regulations to the California Delete Act that took effect in 2025, a business doesn’t have a direct relationship with consumers if it sells personal information “about the consumer that it collected outside of a ‘first party’ interaction with the consumer.”

“Selling” is defined broadly to include disclosures to third parties (other than service providers) for valuable consideration. Taken together, these expansive definitions can result in businesses triggering data broker requirements because of ordinary marketing activities—such as enriching customer profiles with purchased data and allowing advertising platforms to use that data for third-party targeting.

In Texas, 2025 amendments to the state’s Data Broker Act may result in the act applying to businesses that merely process third-party data instead of reselling it. A data broker in Texas is “a business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” A data broker also must register with the state if it derives revenue directly from processing or transferring the personal data of more than 50,000 Texas residents.

A company might therefore fall in the scope of the Texas law if it derives revenue from merely processing third-party information of more than 50,000 Texas residents—even if such processing is incidental to the company’s business and/or the data isn’t resold.

This shift in the legal landscape suggests that all organizations that control and process personal information—not just those that engage in traditional data sales—should review their data use cases to determine whether they trigger data broker requirements. These reviews should focus on identifying whether the entity obtains personal information from sources other than their own customers/users.

If the answer to that question is “yes,” the organization must evaluate whether:

• the data is available to third parties other than service providers or at the direction of the consumer to whom the data relates, which may trigger California requirements
• processing or transferring the data generates revenue or support revenue-generating activities. which may trigger Texas requirements

If either of these conditions is true, the entity may have to register as a data broker in at least Texas and California and should consider whether the somewhat narrower laws in Vermont and Oregon apply as well.

Organizations subject to data broker laws face heightened scrutiny and compliance obligations. In 2024, Texas Attorney General Ken Paxton issued letters notifying over 100 companies of their failure to register as data brokers as required by the Texas Data Broker Law.

In November 2025, CalPrivacy announced the creation of a Data Broker Enforcement Strike Force to investigate privacy violations by the data broker industry and review data brokers’ compliance with the California Delete Act. In January, the strike force brought two enforcement actions against data brokers for violations of the Delete Act.

California’s compliance landscape has also become more onerous. On Jan. 1, the state launched the Delete Request and Opt-Out Platform, or DROP, a centralized system that allows California consumers to submit a single request to remove their personal information from all registered data brokers. Data brokers were required to register to receive requests through the new platform by Jan. 31 and must begin processing and reporting the status of deletion requests by Aug. 1. As of earlier this month, a quarter million Californians had already submitted DROP requests, including 18,000 requests in the first 48 hours after the program was launched.

These developments suggest that companies should reassess whether their activities trigger registration and compliance obligations. Even where data sales or transfers are ancillary to the business model, the statutory definitions in California and Texas now reach far beyond traditional data brokerage. Companies that have determined that data broker statutes apply should also carefully evaluate their compliance programs to ensure that they meet all requirements, including the enrollment and reporting requirements for California’s DROP system.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Marci Rozen is senior legal director at ZwillGen who advises companies on cybersecurity and privacy issues, with understanding of risk assessment, policy development, and regulatory compliance.

Lucia Martinez is a fellow at ZwillGen and works alongside attorneys across all practice areas on complex matters involving privacy, security, and surveillance.

Write for Us: Author Guidelines