Understanding Data Broker Regulations in the U.S.
tl;dr
There are now 5 Data Broker Registration laws in the United States, and they impact 1,000s of businesses inside and outside the U.S.
Most businesses that collect and transfer personal data about consumers they don't have a direct relationship with have to register.
The deadlines to register in VT, TX, OR, and CA have already passed, but businesses should still register immediately to avoid accruing more fines. Connecticut is the newest, and its registration requirement kicks in January 1, 2027.
A registration agency service like Superset can make registering 5x faster and safer for your business.
If you're here you're probably concerned with if and how you need to comply, so we'll cover the fundamentals of:
1) the current state of data broker registration laws in the US,
2) who qualifies as a Data Broker, and
3) how to get in compliance.
Current State of Data Broker Regulations in the U.S.
Today 5 US states have passed regulations requiring Data Brokers to sign up for a public registry, or they could face collective fines of over $100,000 per year of non-compliance:
Vermont was the first state to pass regulation requiring data brokers to register with the Data Broker Act passed back in 2018
In 2023, the ball really started rolling when Texas passed SB2105 - Data Broker Act in June 2023 requiring Data Brokers to register with the Secretary of State
Then Oregon showed up in July 2023 to pass HB 2052 requiring registration starting January 1st 2024
California's Amended Data Broker Registration Law was signed into law in October 2023
And in May 2026, Connecticut became the fifth state, signing Public Act No. 26-64 into law. Connecticut's registration requirement takes effect January 1, 2027.
Heads up: Connecticut is the first state to follow California's Delete Act model, DROP, pairing the registry with a single-request deletion mechanism that lets a consumer delete from every registered broker at once. Connecticut's version launches in 2028. Read more about the Connecticut law in our dedicated blog post.
Privacy laws are a rapidly-changing, ever evolving space, and while we can’t predict the future, we expect more states to add themselves to this list over time.
When is the deadline to register?
Each state sets its own registration window, and each requires an annual renewal.
Vermont's registration period is open from Jan 1st–Jan 31st every year
Texas' registration deadline is 1 year after your previous year's registration
Oregon's registration period is open from Dec 1st–Dec 31st every year
California's registration period is open from Jan 1st–Jan 31st every year
Connecticut requires you to be registered before you sell or license brokered personal data in the state, starting January 1, 2027. A registration runs through December 31st of the year it's issued and must be renewed annually.
If you've already missed a deadline, the potential fines keep accruing until you register.
Who needs to register?
Each state has slightly different requirements on who must register, but broadly, companies that meet the definition of Data Broker usually meet the following requirements:
A business that knowingly collects the personal information of a consumer with whom the business does not have a direct relationship
That business participates in Selling a consumer's personal information
Selling is broadly defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating to a third party for monetary or other valuable consideration (including advertising)
Notably, this definition is WAY beyond what most people think of when they think of data brokers and pulls in many more categories of businesses that need to register, including:
Sales prospecting tools,
Lead-generation services,
CRMs,
ATSs,
People search sites, and
Advertisers who use lead lists for look-alike advertising
As long as you're transferring the personal data of anyone who's not a direct user or customer to a third party in exchange for any value at all, you likely have to register.
There are specific exemptions and qualifications in certain states, such as:
Vermont and Oregon only require registration if you are Selling the data of one of their residents.
Texas only requires registration if more than 50% of your business' revenue comes from Selling data, or if you're Selling the data of more than 50,000 people.
Connecticut uses specific categories of "brokered personal data" (name, address, date of birth, biometric data, Social Security number, and similar identifiers). It exempts businesses that have a contractual or other direct relationship with the consumer, as well as activity already regulated under the FCRA, GLBA, and HIPAA.
Most states also carve out employee data, credit reporting data, banking data, and medical data covered by HIPAA.
Bonus tip: To know for sure if you need to register, you can take the free assessment at https://trustsuperset.com
What are the consequences of noncompliance?
Each state has its own fee schedule for non-compliance. There are typically annual limits to the fees, but they roll over year to year, and we know California plans to enforce up to the statutory 5 years of non-compliance. So the sooner you register, the safer you are from high penalties.
Vermont has a fee schedule of $50 a day, up to a maximum of $10,000 per year
Texas has a fee schedule of $100 a day, up to a maximum of $10,000 per year
Oregon has a fee schedule of $500 a day, up to a maximum of $10,000 per year
California has a fee schedule of $200 a day plus the costs incurred by the CPPA in handling your case
Connecticut has a fee schedule of $200 a day.
So in total, Data Brokers that fail to register across all 5 states can face well over $170,000 in fines per year, plus additional administrative costs.
What are the costs of registering?
Every state requires a form and a registration fee to get registered, plus an annual renewal.
The current registration fees come out to a total of about $10,100 annually:
Vermont - $100, with the potential to increase to $900 if VT H.211 is signed into law
Texas - $300 + 2.7% fee ($8.10)
Oregon - $600 + $275 SoS Filing Fee **
California - $6,000 + 2.99% cc fee ($179.40) *
Connecticut - $2,500
* California recently lowered their registration fee from $6,600 to $6,000 per year
** Oregon can include additional hidden fees for entities with DBAs, out-of-state entities in need of a Certificate of Good Standing, and an Oregon Registered Agent
How to get in compliance with Data Broker Laws?
Getting in compliance with all 5 states' regulations is unfortunately difficult, because there's no consistency in the registration process across the "regulatory patchwork."
Some states have special complications and requirements, for example:
Vermont will — if VT H.211 is signed into law — start requiring the business to post a $20,000 surety bond.
Texas requires the business to list that it is a registered data broker on its website.
Oregon requires a registered agent in OR and an entity number from the Secretary of State to register.
California requires posting metrics on the number of, and average response time to, data access and deletion requests.
Connecticut mirrors another California requirement of maintaining a public, dark-pattern-free page on how consumers exercise their rights and disclosure of whether the business collects minors', geolocation, or reproductive or sexual health data.