PrivacyOn
SecurityApril 2, 20268 min read

Is It Legal for Data Brokers to Sell Your Information?

The short answer may surprise you: yes, in most of the United States, it is perfectly legal for data brokers to collect and sell your personal information. There is no comprehensive federal privacy law that prohibits this practice. However, a growing patchwork of state laws is giving consumers more rights than ever before, and the landscape is shifting rapidly.

The Scale of the Problem

The data broker industry generates an estimated $200 billion or more in annual revenue. There are thousands of data broker companies operating in the U.S., and they hold detailed profiles on virtually every American adult -- including your name, address, phone number, email, income estimates, purchasing habits, health interests, political affiliations, and more.

Why Is This Legal?

Unlike the European Union, which has the General Data Protection Regulation (GDPR) providing broad privacy protections, the United States lacks a single, comprehensive federal privacy law. Instead, the U.S. relies on a sector-specific approach:

  • HIPAA protects health information held by healthcare providers and insurers
  • FERPA protects student education records
  • GLBA covers financial data held by banks and lenders
  • COPPA protects children under 13 online

But none of these laws cover the general collection and sale of personal data by data brokers. In the gaps between these sector-specific regulations, data brokers operate freely.

How Data Brokers Legally Obtain Your Information

Data brokers build their databases through entirely legal channels, including:

  • Public records: Court filings, property records, voter registrations, marriage and divorce records, and business filings are all publicly available and regularly scraped by brokers
  • Purchase histories: Retailers and loyalty programs sell or share transaction data with brokers
  • Web scraping: Brokers collect information posted publicly on social media profiles, forums, and websites
  • Data sharing agreements: Companies share user data with partners and affiliates, who may then resell it to brokers
  • App permissions: Mobile apps that request access to your contacts, location, or browsing history may sell that data to brokers
  • Surveys and contests: Free quizzes, sweepstakes entries, and online surveys often exist primarily to collect marketable personal data

Key State Laws Changing the Rules

While federal action has stalled, several states have enacted meaningful privacy legislation that directly affects data brokers.

California: CCPA, CPRA, and the DELETE Act

California leads the nation in consumer privacy rights. The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives residents the right to:

  • Know what personal information is being collected about them
  • Request deletion of their personal information
  • Opt out of the sale or sharing of their data
  • Not be discriminated against for exercising these rights

In 2023, California passed the landmark DELETE Act (SB 362), which created the Data Broker Requests and Opt-Out Platform (DROP). This portal, which went live on January 1, 2026, allows consumers to submit a single deletion request that applies to all registered data brokers in the state. As of early 2026, 545 data brokers are registered. Beginning August 1, 2026, brokers must process deletion requests within 45 days and continue deleting any newly collected data about opted-out consumers on an ongoing basis.

Vermont: Broker Registration

Vermont was the first state to require data brokers to register with the state government, creating transparency about which companies are in the business of buying and selling personal data. While registration alone does not stop the practice, it created an important public record and paved the way for stronger legislation in other states.

Texas: Data Broker Act (SB 2105)

Texas enacted its Data Broker Act through SB 2105, requiring data brokers to register with the Secretary of State, disclose their data handling practices, and maintain comprehensive information security programs. The law was significantly expanded in 2025 through SB 2121, which broadened the definition of "data broker" beyond companies whose primary revenue comes from data sales. Noncompliance carries penalties of $100 per day, up to $10,000 in a 12-month period.

Oregon Consumer Privacy Act

Oregon's privacy law, which took effect in 2024, gives consumers the right to access, delete, and correct their personal data. It also includes the right to opt out of data sales, targeted advertising, and profiling. Notably, Oregon's law applies to nonprofits as well, unlike most other state privacy laws.

Registration Does Not Mean Restriction

It is important to understand that many state laws require data brokers to register, but registration alone does not stop them from selling your data. You still need to actively exercise your opt-out and deletion rights. Without taking action, your information remains available for sale even in states with strong privacy laws.

How the U.S. Compares to the EU (GDPR)

Under the European Union's General Data Protection Regulation (GDPR), the default position is the opposite of the U.S. approach:

  • Consent first: Companies must obtain explicit consent before collecting personal data in most cases
  • Right to be forgotten: Individuals can demand deletion of their data
  • Data minimization: Companies may only collect data that is necessary for a specific, stated purpose
  • Heavy penalties: Fines can reach up to 4% of global annual revenue

No U.S. state law comes close to the GDPR's scope, though California's framework is the closest. The fundamental difference is that in Europe, privacy is treated as a default right, while in the U.S., consumers must actively opt out.

Your Rights Today

Even without a federal law, you have more tools available than many people realize:

  • Opt out directly: Most major data brokers have opt-out pages, though the process is deliberately time-consuming and varies by broker
  • Use California's DROP portal: If brokers hold data on California residents (or anyone who submits through the portal), the DELETE Act may apply
  • Enable Global Privacy Control (GPC): This browser signal tells websites you want to opt out of data sales. Under the CCPA, businesses must honor GPC signals
  • Submit deletion requests: Under state privacy laws, you can request that brokers delete your data, though you may need to do this individually with each broker

What Is Changing

The trend is clearly moving toward stronger consumer protections. More than a dozen states have enacted comprehensive privacy laws since 2020, and federal legislation like the American Privacy Rights Act (APRA) has been introduced in Congress, though it has yet to pass. Consumer advocacy groups continue to push for a unified federal standard.

In the meantime, the burden of protecting your data still falls largely on you. Opting out of data brokers one by one is technically possible but extremely time-consuming -- there are hundreds of brokers, each with different processes, and many re-collect your data within months.

PrivacyOn simplifies this by handling opt-out requests across more than 100 data brokers on your behalf, with 24/7 monitoring to ensure your data stays removed. Combined with dark web monitoring, PrivacyOn provides ongoing protection rather than a one-time fix. Family plans cover up to 5 members starting at $8.33 per month, making comprehensive data removal accessible for individuals and families alike.

PrivacyOn Team

Experts in online privacy and data protection since 2022.

Related Articles

Security

What to Do If Your Email Has Been Hacked

Security

How to Create a Strong Password

Security

How to Protect Elderly Family Members From Identity Theft

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.