Data Brokers and Personal Privacy
Data brokers are companies that collect, aggregate, and sell personal information about individuals, sourced from public records, commercial data sources, and online traces. In 2026, people search sites and data brokers continue to draw from these sources to create detailed profiles that include names, addresses, phone numbers, email addresses, and other personal details.[^c10] These companies range from digital advertising firms and location intelligence providers to people search websites and social media management platforms.[^c3]
The regulatory landscape for data brokers in the United States remains fragmented. As of 2026, twenty states have comprehensive privacy laws on the books, with new laws in Indiana, Kentucky, and Rhode Island taking effect on January 1, 2026.[^c7] California has the most extensive data broker regulations: the state's data broker registry includes approximately 570 firms, and laws such as SB 361 and [[California Delete Act (SB 362)|SB 362 (the Delete Act)]] require brokers to register annually, disclose detailed information about the data they collect, and process deletion requests through CalPrivacy's Delete Request and Opt-Out Platform (DROP).[^c3][^c4] Beginning August 1, 2026, data brokers must access DROP at least once every 45 days and process verified deletion requests.[^c4]
Despite these legal requirements, consumer engagement with opt-out mechanisms has been limited. Close to 150 of approximately 570 registered data brokers in California reported receiving zero deletion requests in 2024, and another 130 firms received fewer than 100 deletion requests.[^c3] The CPPA has complemented its enforcement work with a consumer awareness campaign — see [[topics/california-privacy-enforcement|California Privacy Enforcement]] for details.[^c3]
An investigation by The Markup and CalMatters found that 35 data brokers were using "no-index" code on their opt-out web pages to prevent them from appearing in Google search results, creating a technical barrier to consumers exercising their deletion rights.[^c5] After the investigation and a subsequent Senate inquiry led by Senator Maggie Hassan, most brokers removed the code; as of mid-2026, only eight of the original 35 still hide their deletion pages.[^c5] A Senate committee report estimated that consumers have lost more than $20 billion from fraud and identity theft related to data broker data breaches.[^c5]
Ohio is one of the most populous states without a comprehensive consumer privacy law, leaving its residents without a state-level right to request access to, deletion of, or control over the personal data that businesses collect about them.[^c9] The Ohio Personal Privacy Act (HB 376) stalled in committee, and a new Ohio Privacy Act introduced in March 2026 focuses on government entities rather than commercial data brokers.[^c9] Neighboring states Indiana and Kentucky have both enacted privacy laws, while Michigan's Personal Data Privacy Act has passed its state Senate.[^c9] The [[Ohio Resident Database]], a people search site that aggregates voter registration records, operates in this regulatory environment, drawing on Ohio's official voter registration database to publish registered party, voting history, home addresses, and other details.[^c1][^c2]
Public voter registration records serve as a key data source for many data brokers. Research has demonstrated that name and ZIP code alone can uniquely identify 95.81 percent of Texas voters and 87.79 percent of North Carolina voters when linked to other datasets.[^c11] In California, a critical legal question is whether data sourced from public records qualifies as "personal information" under the CCPA when it has been transformed through aggregation, enhancement, or licensing practices.[^c4]
At the federal level, the [[SECURE Data Act (H.R. 8413)]], introduced in April 2026, would create a single national privacy standard preempting state laws and establish a national data broker registry administered by the Federal Trade Commission.[^c8] The Electronic Privacy Information Center (EPIC) called the bill "worse than any privacy law we have evaluated," citing its weak data minimization standard, lack of universal opt-out signal requirements, absence of a private right of action, and broad preemption that would eliminate comprehensive privacy laws in 21 states, data broker registry laws in four states, and data breach notification laws in all 50 states.[^c6][^c8] The bill lacks bipartisan support.[^c8]
The first quarter of 2026 saw continued expansion in state-level data broker regulation. Under California's Delete Act, enacted in 2023, the definition of "data broker" is intentionally broad — encompassing any business that collects and sells personal information about California residents without a direct relationship to those individuals.[^c14] This definition reaches beyond traditional data vendors to include retailers, loyalty program operators, lead generation firms, and business intelligence providers that sell or enrich data acquired from third parties.[^c15] States have also rapidly expanded regulation of artificial intelligence: 44 states now have at least one AI law on the books, with hundreds of AI-related bills proposed in 2025 covering areas such as chatbot disclosures, algorithmic pricing notices, and automated decision-making.[^c16]
In parallel, bipartisan momentum has grown to close the "data broker loophole" that allows law enforcement and government agencies to purchase Americans' online data — including browser histories and location information — without a warrant.[^c12] In May 2026, the House Appropriations Committee adopted a bipartisan amendment (32-25) to an appropriations bill that would prevent such warrantless purchases, mirroring the Fourth Amendment Is Not For Sale Act.[^c12] House Freedom Caucus Chairman Andy Harris described the practice as federal law enforcement having "skirted the Constitution by purchasing and selling Americans' private data without judicial oversight."[^c13]
For consumers seeking to remove their information from data brokers and people search sites, experts recommend using a dedicated email address, submitting opt-out requests on official pages, handling identity verification with redacted documents, and rechecking listings periodically, as many brokers refresh their data.[^c10] Consumers in states with comprehensive privacy laws have additional legal rights to deletion and opt-out that can compel data brokers to remove their information.[^c10]