Data Brokers and Personal Privacy
Data brokers are companies that collect, aggregate, and sell personal information about individuals, sourced from public records, commercial data sources, and online traces. In 2026, people search sites and data brokers continue to draw from these sources to create detailed profiles that include names, addresses, phone numbers, email addresses, and other personal details.[^c10] These companies range from digital advertising firms and location intelligence providers to people search websites and social media management platforms.[^c3]
California's DROP Platform
The regulatory landscape for data brokers in the United States remains fragmented. As of 2026, twenty states have comprehensive privacy laws on the books, with new laws in Indiana, Kentucky, and Rhode Island taking effect on January 1, 2026.[^c7] California has the most extensive data broker regulations: the state's data broker registry includes approximately 580 firms, a record high,[^c25] and laws such as SB 361 and [[California Delete Act (SB 362)|SB 362 (the Delete Act)]] require brokers to register annually, disclose detailed information about the data they collect, and process deletion requests through [[California Privacy Protection Agency|CalPrivacy]]'s Delete Request and Opt-Out Platform (DROP).[^c3][^c4]
DROP, which launched on January 1, 2026, saw immediate adoption. More than 300,000 California residents had signed up within five months, and by June 2026 the Data Broker Registry reached a record 581 registered brokers.[^c24][^c25] Beginning August 1, 2026, data brokers must access DROP at least once every 45 days and process verified deletion requests,[^c4] with fines of $200 per request per day and no statutory cap. DROP remains the only universal deletion mechanism in the United States. Despite these requirements, close to 150 of approximately 570 registered data brokers in California reported receiving zero deletion requests in 2024, and another 130 firms received fewer than 100 requests,[^c3] though the DROP platform is designed to centralize and streamline the process.
CalPrivacy has complemented its enforcement work with a consumer awareness campaign backed by a nearly $8 million budget.[^c3] An investigation by The Markup and CalMatters found that 35 data brokers were using "no-index" code on their opt-out web pages to prevent them from appearing in Google search results, creating a technical barrier to consumers exercising their deletion rights.[^c5] After the investigation and a subsequent Senate inquiry, most brokers removed the code; as of mid-2026, only eight of the original 35 still hide their deletion pages.[^c5]
State Data Broker Registries Expand
Beyond California, state-level data broker regulation saw significant expansion in 2026. Connecticut passed Senate Bill 4 in May 2026, signed by Governor Ned Lamont on May 27, becoming the fifth state to enact comprehensive legislation to regulate data brokers, joining California, Texas, [[Vermont Data Broker Registry|Vermont]], and Oregon.[^c19] The Connecticut law requires data brokers to register with the Department of Consumer Protection by January 1, 2027, pay a $2,500 annual fee, and submit to a centralized consumer deletion mechanism by 2028. Connecticut also became the second state after California to mandate a centralized consumer deletion mechanism.
Texas expanded its data broker definition via Senate Bill 2121, effective September 1, 2025, removing the "principal source of revenue" qualifier to cover any business that "collects, processes, or transfers personal data that the business entity did not collect directly from the individual," broadening the range of entities required to register.[^c31] Vermont passed H.211, which was delivered to the governor on May 29, 2026; the bill raises the annual registration fee from $100 to $900 and increases daily penalties for failing to register from $50 to $200, while replacing an original deletion-right provision with a feasibility study for a centralized deletion mechanism.
In June 2026, Massachusetts lawmakers voted unanimously to pass the Consumer Data Privacy Act, granting residents new rights over accessing and deleting their data and banning the sale of precise geolocation data, biometrics, and markers of religion, immigration status, and sexual orientation without explicit consent.[^c26] Oregon enacted Senate Bill 1587, effective June 5, 2026, prohibiting state and local government bodies from disclosing personally identifiable information to data brokers unless the broker attests the data will not be used for federal immigration enforcement.
States are also shifting from notice-and-choice frameworks toward categorical prohibitions on certain categories of data sales.[^c27] Virginia (effective July 1, 2026) and Connecticut (effective October 1, 2026) enacted bans on the sale of precise geolocation data, joining similar prohibitions in Maryland and Oregon. Analysts have noted that failure to register as a data broker is increasingly an independent enforcement hook, with regulators not required to show consumer harm to initiate investigations.
Enforcement Activity in 2026
The first half of 2026 saw a significant escalation in enforcement activity across multiple jurisdictions. California regulators issued more than $4.22 million in penalties in the first quarter alone, including a $2.75 million settlement with Disney and a $1.1 million fine against PlayOn Sports.[^c20] General Motors agreed to pay $12.75 million in May 2026 — the largest civil penalty ever under the California Consumer Privacy Act — for selling driving data of hundreds of thousands of Californians to data brokers without adequate consent.[^c21] The Federal Trade Commission also finalized a consent order against GM and OnStar in January 2026, barring the automaker from sharing geolocation and driving behavior data with consumer reporting agencies for five years in the agency's first enforcement action regarding connected vehicle data.[^c17] The FTC sanctioned location data broker Kochava in May 2026, banning the sale of sensitive location data without affirmative express consent. The FTC also sent warning letters to 13 data brokers in February 2026 regarding compliance with the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), which prohibits selling sensitive personal data of Americans to foreign adversaries including China, Russia, Iran, and North Korea.[^c18] California's Data Broker Enforcement Strike Force fined Rickenbacher Data LLC $45,000 for failing to register and for selling health-condition-targeted lists of millions of individuals including those with Alzheimer's disease.
Ohio and State-Level Gaps
Ohio remains one of the most populous states without a comprehensive consumer privacy law, leaving its residents without a state-level right to request access to, deletion of, or control over the personal data that businesses collect about them.[^c9] The [[Ohio Resident Database]], a people search site that aggregates voter registration records, operates in this regulatory environment, drawing on Ohio's official voter registration database to publish registered party, voting history, home addresses, and other details.[^c1][^c2] Ohio House Bill 807, introduced in April 2026, would close loopholes allowing state agencies to share or sell data to private data brokers and prevent automatic sharing of state-held data with federal immigration authorities without consent. The bill remains in committee as of June 2026. The Ohio Bureau of Motor Vehicles generated over $250 million over the past decade selling driver and vehicle personal information to data brokers, credit agencies, and insurance companies under exemptions in the federal Driver's Privacy Protection Act, precisely the practice HB 807 aims to restrict.
Federal Legislation
At the federal level, the [[SECURE Data Act (H.R. 8413)]], introduced in April 2026, would create a single national privacy standard preempting state laws and establish a national data broker registry administered by the Federal Trade Commission.[^c8] The Electronic Privacy Information Center (EPIC) called the bill "worse than any privacy law we have evaluated," citing its weak data minimization standard, lack of universal opt-out signal requirements, absence of a private right of action, and broad preemption.[^c6] In June 2026, a House subcommittee held a hearing on the bill, with Ranking Member Frank Pallone criticizing its expansive preemption clause that would invalidate stronger state laws, including California's DROP platform, and describing the bill as one that "locks in the failed notice and consent status quo."[^c22] The bill lacks bipartisan support.
National Security and the Data Broker Loophole
The national security implications of the data broker industry gained significant attention in 2026. In April 2026, U.S. Central Command confirmed that commercially obtained location data from data brokers was being exploited to target deployed U.S. military personnel in combat zones.[^c23] Duke University researchers found that data brokers sell sensitive data about active-duty military members for as little as $0.12 per record.[^c28] The Department of Justice's April 2025 rule prohibiting data broker sales of sensitive location data to countries of concern was found to have omitted the White House, Congress, and CIA headquarters from its list of 736 protected locations, confirming that enforcement gaps persist even after major regulatory action.[^c29]
Bipartisan momentum has grown to close the "data broker loophole" that allows law enforcement and government agencies to purchase Americans' online data — including browser histories and location information — without a warrant.[^c12] In May 2026, the House Appropriations Committee adopted a bipartisan amendment (32-25) that would prohibit the FBI, DEA, U.S. Marshals, and ATF from purchasing personal data without judicial oversight, mirroring the [[Fourth Amendment Is Not For Sale Act]].[^c12] More than 130 civil society organizations urged Congress to close the loophole as part of FISA Section 702 reauthorization. New Mexico Attorney General Raúl Torrez led a bipartisan coalition of 17 state attorneys general in sending a letter to Congress in March 2026, warning that the "data broker loophole" was "rife for abuse by forces seeking to compromise national security."
Internationally, German police in at least two states were found to be purchasing advertising data from data brokers for criminal investigations, a practice legal experts described as having no legal basis under German law and risking uncontrolled mass surveillance.[^c30] The practice parallels the U.S. data broker loophole and highlights the global nature of law enforcement access to commercially collected data.
Consumer Opt-Out
For consumers seeking to remove their information from data brokers and people search sites, experts recommend using a dedicated email address, submitting opt-out requests on official pages, handling identity verification with redacted documents, and rechecking listings periodically, as many brokers refresh their data.[^c10] Consumers in states with comprehensive privacy laws have additional legal rights to deletion and opt-out that can compel data brokers to remove their information.[^c10] California's DROP platform provides the only universal deletion mechanism in the United States, allowing residents to submit a single deletion request to all registered data brokers, while Connecticut is developing a similar mechanism.