PrivacyOn
Privacy GuideMay 19, 20268 min read

Understanding Data Broker Registries

SC

By Sarah Chen

Head of Privacy Research

Understanding Data Broker Registries

Most people have no idea which companies are buying and selling their personal data. Data broker registries change that. Several U.S. states now require data brokers to register with a government agency, creating public databases that reveal the companies profiting from your information—and giving you new tools to fight back.

What Is a Data Broker Registry?

A data broker registry is a government-maintained list of companies that collect and sell personal data about consumers. States that require registration compel data brokers to publicly identify themselves, disclose their data practices, and in some cases provide consumers with direct opt-out mechanisms.

Think of it as a transparency requirement: companies that trade in your personal information must step out of the shadows and register with the state, much like businesses that handle financial transactions or real estate.

Which States Require Data Broker Registration?

As of 2026, four states have enacted data broker registration requirements:

California

California's registry is the most comprehensive. Managed by the California Privacy Protection Agency (CPPA), it requires data brokers to register annually by January 31 and pay a $6,000 annual fee. Key requirements include:

  • Disclosure of the categories of personal information collected and sold
  • Access to the DELETE (DROP) platform—California's centralized deletion system launching in August 2026
  • Processing consumer deletion requests within 90 days of retrieval
  • Perpetual deletion cycles for consumers who opt into ongoing removal

Failure to process deletion requests carries penalties of $200 per request per day—creating massive potential liability for non-compliant brokers.

Vermont

Vermont was the first state to establish a data broker registry in 2018. Brokers must register annually by January 31 with the Secretary of State's office and pay a $100 filing fee. Requirements include:

  • Disclosure of data collection and opt-out practices
  • Description of data protection and security standards
  • Reporting of any breaches within the past year

Penalties for non-registration reach $50 per day up to $10,000 annually.

Oregon

Oregon requires data broker registration with the Department of Consumer and Business Services. Notably, Oregon does not include a knowledge requirement—companies don't need to knowingly collect and sell data to be considered data brokers under the law.

Texas

Texas requires data brokers to register with the Secretary of State. Like Oregon, Texas uses a broader definition that doesn't require the company to knowingly trade in personal data, capturing more companies in its net.

Why Registration Matters

Before registries existed, you had no way to know which companies held your data. Now, you can search state registries to identify brokers, find their opt-out processes, and submit removal requests. California's upcoming DROP platform will take this further by letting you send a single deletion request to all registered brokers simultaneously.

How Many Data Brokers Are Registered?

The numbers are eye-opening. California's registry lists hundreds of registered data brokers—but research from the Privacy Rights Clearinghouse suggests that many more operate without registering, despite the legal requirement. The gap between registered and actual data brokers highlights a persistent enforcement challenge.

Vermont's registry, despite the state's small size, also lists hundreds of registered brokers—a reminder that the data broker industry is nationwide, and brokers collect information on residents of every state.

Many Brokers Don't Register

Despite legal mandates, compliance is far from universal. Hundreds of data brokers may be operating without registering in states that require it. Non-registration doesn't mean your data isn't being collected and sold—it means the broker is either unaware of the requirement or intentionally ignoring it. Enforcement is improving but remains a work in progress.

How to Use Data Broker Registries

You can use these registries as a practical tool for protecting your privacy:

  1. Browse the registry to identify data brokers that may hold your information. California's registry is searchable at cppa.ca.gov.
  2. Find opt-out links. Registered brokers must disclose how consumers can opt out. Use this information to submit removal requests directly.
  3. Cross-reference your search results. If a people-search site appears in your Google results but isn't registered in a state that requires it, that's a potential violation you can report.
  4. File complaints. If a registered broker fails to honor your opt-out request, file a complaint with the state agency overseeing the registry.

California's DELETE Act and the DROP Platform

California's Defending Californians' Act (SB 361) represents the most aggressive approach to data broker regulation. The DELETE Act created the DROP (Data Removal Opt-out Platform), a centralized system where California residents can submit a single deletion request that is distributed to all registered data brokers.

Beginning August 2026, registered brokers must:

  • Access the DROP platform at least every 45 days
  • Process deletion requests within 90 days
  • Implement perpetual deletion for consumers who request it

This is a game-changer for California residents, but the rest of the country is watching closely. If DROP proves effective, other states are likely to follow with similar centralized opt-out systems.

What Registries Don't Cover

Data broker registries are a powerful transparency tool, but they have limitations:

  • Not all states have them. If you don't live in California, Vermont, Oregon, or Texas, there's no local registry to reference (though you can still use California's).
  • Compliance gaps. Many brokers operate without registering, and enforcement resources are limited.
  • New brokers appear constantly. The data broker industry is dynamic, with new companies launching regularly.
  • International brokers. Companies based outside the U.S. may not register, even if they collect data on American residents.

Let PrivacyOn Cover the Gaps

State registries are an important step forward, but they don't solve the problem on their own. PrivacyOn goes beyond what registries offer by actively submitting opt-out requests to 100+ data broker sites—including those that aren't registered anywhere. We monitor for re-listings, scan the dark web for leaked personal data, and provide continuous protection that no registry alone can match.

While California's DROP platform will eventually help residents of one state, PrivacyOn protects you nationwide, right now. Plans start at $8.33/month with family coverage for up to 5 people.

The Future of Data Broker Transparency

Data broker registries represent a fundamental shift: for the first time, the companies selling your data must identify themselves publicly. As more states adopt registration requirements and California's DROP platform launches, consumers will have more tools than ever to reclaim their privacy. In the meantime, combining registry awareness with active data removal gives you the strongest protection available today.

SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Related Articles

Opt-Out Guides

How to Opt Out of Data Brokers

Security

Is It Legal for Data Brokers to Sell Your Information?

Privacy Guide

California's DELETE Act and DROP Platform Explained

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.