Yes, data brokers are largely legal in the United States. There is no comprehensive federal data privacy law governing the data broker industry, though sector-specific regulations and a growing patchwork of state data broker laws provide some consumer protections.
Federal Data Privacy Laws in the United States
Fair Credit Reporting Act (FCRA): Regulates companies providing information for credit, employment, insurance, or housing decisions. In December 2024, the CFPB proposed a rule to bring data brokers under FCRA oversight, but withdrew the proposal in May 2025, citing concerns about statutory authority. The failed rule highlights the ongoing gap between data broker practices and federal regulation.
HIPAA: Protects health information held by healthcare providers — but does not cover health data collected by data brokers through loyalty programs, fitness apps, or online purchases. This gap means that health-related data points in broker profiles have almost no federal protection.
COPPA: Restricts collection of information about children under 13, with limited enforcement regarding data brokers.
State Data Broker Laws
California (CCPA/CPRA): Gives residents rights to know what’s collected, request deletion, and opt out of data sales. California also maintains a data broker registry where brokers must register. In January 2026, CalPrivacy launched DROP — a platform enabling a single deletion request to reach participating CCPA data brokers.
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): Similar consumer privacy rights, all effective since 2023. These laws give residents the right to access, correct, and delete personal data, though enforcement mechanisms vary.
Texas (TDPSA): Effective July 2024, adds data broker registration requirements and grants consumers deletion rights.
System Mechanic Special Offer
Smart recommendations deliver personalized tips to keep your PC optimized and protected. Speed up, secure, and simplify your digital life with System Mechanic©.
Free Download Now
Faster processor & internet speed8x PC Mag winner
Oregon (OCPA), Montana (MCDPA): Both effective 2024, expanding the patchwork of state-level protections.
International Data Privacy Laws
EU General Data Protection Regulation (GDPR): The strongest data privacy framework globally, giving EU residents the right to erasure and strict consent requirements. Data brokers operating in the EU face significant restrictions.
India’s Digital Personal Data Protection Act (2023, rules effective 2025): Establishes consent-based data processing and penalties up to ₹250 crore (~$30M) for violations.
These international frameworks matter because many data brokers operate globally. If you have connections to the EU or other regulated jurisdictions, you may have additional rights beyond U.S. law.
Why Data Broker Laws Aren’t Enough
Data brokers operate across jurisdictions — a California deletion request doesn’t affect a Texas-based broker’s copy of your data. Penalties are often insufficient to deter violations. Consumers must proactively exercise their rights, and most people don’t know these rights exist. The regulatory gap is even wider for consumer-facing people search sites, which often fall outside FCRA oversight entirely. Legal protections help, but personal action remains necessary.
The law won’t do this for you — but RemoveMe will. See where your data is exposed and start removing it automatically. [Start your free RemoveMe scan →]
→ How to Remove Your Information from the Internet
→ Data Broker Removal Services
FAQ
Can I sue a data broker? If a data broker violates the CCPA, FCRA, or another applicable law, legal action may be possible. The CCPA provides a private right of action for data breaches, and FCRA violations can result in statutory damages. Consult a privacy attorney for your specific situation.
What is California’s DROP platform? DROP (Delete Request and Opt-Out Platform) launched January 2026, allowing California residents to submit a single deletion request to participating data brokers. It’s a significant step, but only covers brokers that have registered with the state — many operate without registration.
Does the question “are data brokers legal” have a simple answer? Mostly yes. Their activities are legal because most data comes from public records and consented sources. Regulation is growing but remains incomplete — which is why proactive removal matters regardless of what the law provides.
