As daily communications and transactions increasingly shift from in-person to online, the supply and demand for personal data have surged. An entire industry of data brokers has emerged—entities that collect personal data from various sources, both private and public, and sell or transfer them to third parties for profit. This market, however, often comes at the cost of consumers’ sensitive personal information and even national security, as data belonging to military personnel or politically sensitive individuals may be exposed.[1]
To date, there is no comprehensive federal law regulating data brokers. The Consumer Financial Protection Bureau (CFPB) proposed a rule on December 3, 2024, to limit the sale of key personal information—such as Social Security numbers and phone numbers—under its interpretation of the Fair Credit Reporting Act (FCRA). [2] However, the CFPBultimately concluded that such a rule was “not necessary or appropriate at this time,” citing inconsistencies with its current interpretation of the FCRA.
In the absence of a federal framework, several states have taken the initiative to protect consumer information through their own legislation. California, Oregon, Texas, and Vermont have each enacted laws requiring data brokers to register with state administrative agencies.[3] New York is also considering a bill that would prohibit the sale of personal information belonging to current and former military service members.[4] Leading these efforts, California Governor Gavin Newsom signed SB 361 into law on October 28, 2025. This bill expands the disclosure requirements established by the previous California Delete Act and doubles the penalty for violations from $100 to $200 per day per violation.[5] Because violators remain liable until they meet statutory compliance, the law imposes substantial financial pressure on noncompliant data brokers.
Despite the lack of a federal regulatory regime, individuals in states without data broker laws may still pursue remedies under existing federal statutes. For instance, a consumer who discovers that their personal data has been unlawfully obtained or transmitted to a data broker—either directly or indirectly—may bring a claim under the Electronic Communications Privacy Act of 1986 (18 U.S.C. §§ 2510–23).[6] By alleging intentional and contemporaneous interception of electronic communications without consent,[7] plaintiffs can seek statutory damages on a per-day, per-offense basis, even without proving actual harm. [8] While this approach imposes a higher burden of proof and offers less comprehensive protection than direct regulation, it demonstrates that federal law continues to recognize the importance of privacy in electronic communications.
In conclusion, the current regulatory landscape for data brokers remains limited: there is no controlling federal framework, and only a handful of states have enacted targeted laws. Nonetheless, these state-level initiatives reflect a growing recognition of the need to safeguard consumer data. Meanwhile, individuals may still seek relief under broader federal privacy statutes, though such avenues typically demand greater evidentiary burdens and offer narrower protections.
[1] Dell Cameron & Dhruv Mehrotra, CFPB Quietly Kills Rule to Shield Americans From Data Brokers, Wired (May 14, 2024), https://www.wired.com/story/cfpb-quietly-kills-rule-to-shield-americans-from-data-brokers/.
[2] Consumer Financial Protection Bureau, CFPB Proposes Rule to Stop Data Brokers from Selling Sensitive Personal Data to Scammers, Stalkers, and Spies (Dec. 3, 2024), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-stop-data-brokers-from-selling-sensitive-personal-data-to-scammers-stalkers-and-spies/.
[3] DLA Piper, Registration in the United States (last modified Feb. 6, 2025), https://www.dlapiperdataprotection.com/?t=registration&c=US.
[4] S.B. 6797, 2025 Gen. Assemb., Reg. Sess. (N.Y. 2025).
[5] Andrew Folks, New Law and Regulations Expand California's Data Broker Oversight, Frankfurt Kurnit Klein & Selz PC (Oct. 8, 2025), https://technologylaw.fkks.com/post/102lp8c/new-law-and-regulations-expand-californias-data-broker-oversight.
[6] 18 U.S.C. § 2511.
[7] See Backhaut v. Apple, Inc., 74 F. Supp. 3d 1033, 1044 (N.D.C.A. 2014); Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107 (3d Cir. 2003).
[8] 18 U.S.C. § 2520.