Data Broker Registration Requirements in 2026: State-by-State Guide

Are You a Data Broker? More Businesses Qualify Than You Think

Data broker registration has become one of the fastest-growing compliance obligations in US privacy law. In 2026, four states — California, Vermont, Texas, and Oregon — require businesses that meet their definition of "data broker" to register with state authorities, pay annual fees, and comply with specific operational requirements.

The expansion of California's data broker definition in 2024 means that many businesses that did not previously consider themselves data brokers now qualify. If your business collects personal information from sources other than directly from the consumer and sells or shares that data, you may need to register.

What Is a Data Broker?

The definition varies slightly by state, but the core concept is consistent: a data broker is a business that knowingly collects and sells or licenses the personal information of consumers with whom the business does not have a direct relationship.

This definition captures obvious examples like people-search websites, marketing data companies, and background check services. But it also captures less obvious businesses:

• Analytics companies that aggregate consumer data from multiple sources
• Ad-tech platforms that build audience profiles using third-party data
• App SDK providers that collect data through other companies' apps (as in the Allstate/Arity case)
• Lead generation services that compile and sell consumer contact information
• Real estate data aggregators, credit header data resellers, and similar businesses

Not sure if your business qualifies? Take our Data Broker Classification Quiz to find out.

State-by-State Registration Requirements

California — The Most Comprehensive

California's data broker registration program, administered by the California Privacy Protection Agency (CPPA), is the most extensive in the nation. Following the passage of the Delete Act (SB 362) in 2023, California's requirements go far beyond simple registration.

Key requirements:

• Annual registration with the CPPA between January 1–31 each year
• Annual fee: $6,000 (significantly increased from the original $400 fee)
• Detailed disclosures about data collection practices, categories of data sold, and data sources
• Delete Request and Opt-Out Platform (DROP) — starting August 1, 2026, data brokers must connect to the state-run DELETE mechanism and process consumer deletion requests at least once every 45 days
• Penalties: Failure to register may result in administrative fines of up to $200 per day. The CPPA has already brought enforcement actions against non-compliant data brokers in January 2026.

The CPPA published its first round of data broker enforcement actions on January 8, 2026, targeting companies that failed to register by the deadline.

Vermont — The Pioneer

Vermont was the first state to require data broker registration (effective 2019). While less demanding than California, it established the model other states followed.

• Annual registration with the Vermont Secretary of State by January 31
• Annual fee: $100
• Disclosures: Name, contact info, opt-out methods, data collection practices, whether the broker has experienced a data breach
• Penalties: Up to $10,000 per violation of registration requirements, enforced by the AG

Texas — Tied to Comprehensive Privacy Law

The Texas Data Privacy and Security Act (TDPSA) includes data broker registration requirements alongside its broader consumer privacy protections.

• Registration with the Texas Secretary of State
• Annual fee: $300
• Must post a conspicuous notice on their website indicating they are a data broker
• Penalties: Up to $10,000 per violation; the AG's Allstate lawsuit includes data broker violations alongside TDPSA claims

Oregon — Highest Daily Penalties

Oregon's Consumer Privacy Act includes data broker registration provisions with notably aggressive penalty structures.

• Registration with the Oregon Department of Consumer and Business Services before conducting business
• Valid through December 31 of the registration year; renewals due in December
• Penalties: $500 per day for failure to register, up to $10,000 per year — the highest daily penalty rate among the four states

The California DELETE Act: What Changes on August 1, 2026

The biggest upcoming change is California's DELETE mechanism going fully operational on August 1, 2026. Here is what it means:

• The CPPA operates a centralized Delete Request and Opt-Out Platform (DROP)
• Consumers can submit a single deletion request that applies to all registered data brokers simultaneously
• Data brokers must access DROP at least once every 45 days to check for and process deletion requests
• Data brokers must delete all personal information held about a requesting consumer, subject to limited exceptions
• This effectively creates a "one-click delete everything" mechanism for California consumers

For businesses, this means building the technical infrastructure to regularly connect to DROP, process bulk deletion requests, and maintain compliance documentation.

How to Determine If You Need to Register

1. Map your data flows — identify all personal information you collect, the sources of that data, and the third parties you share it with
2. Check the "direct relationship" test — if you collect data about consumers you have no direct relationship with (e.g., through third-party SDKs, purchased lists, or scraped data), you likely qualify
3. Use our quiz — our Data Broker Classification Quiz walks you through the analysis for all four states
4. Check your state exposure — use the privacy law calculator to see which states' laws apply to your business

Compliance Checklist

1. Register in all applicable states before their respective deadlines
2. Budget for fees — especially California's $6,000 annual fee
3. Build DROP integration — California's DELETE mechanism requires technical implementation by August 2026
4. Post required notices — Texas requires a conspicuous website notice; other states have disclosure requirements
5. Prepare for deletion requests — implement processes to fulfill deletion requests within the timeframes required by each state
6. Monitor for new states — additional states are considering data broker legislation. Check our compliance deadlines tracker for updates.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.