Data Brokers Face Rising Regulatory Pressure From States

June 9, 2026

Data brokers are facing heightened scrutiny at the state level. Several states are continuing to expand their data broker registration frameworks, enact substantive restrictions on certain categories of data sales, and pursue enforcement proceedings against companies.

Companies that generate revenue by aggregating, selling, licensing, or otherwise monetizing consumer data – regardless of how those activities are labeled internally – should carefully assess whether they fall within the scope of applicable state data broker frameworks. Below, we identify recent data broker developments that companies should be monitoring.

Data broker requirements are expanding, and failure to register as a data broker is a stand-alone enforcement hook.

Several states have data broker registration laws on the books – including California, Texas, Vermont, and Oregon. Most recently, Connecticut enacted a new data broker law that will require data broker registration, among other things, as of January 1, 2027. In addition to registration, data brokers are subject to expanding obligations, including new deletion requirements under California’s Delete Act and Connecticut’s new data broker law.

Under these laws, failure to register is an independent legal violation. Recent enforcement actions demonstrate that regulators do not need to show consumer harm to initiate investigations; non-registration alone may be sufficient. For example, last year, the California Privacy Protection Agency (CPPA) brought an enforcement action against a Florida-based broker for failing to register and pay an annual fee required by the California Delete Act.

The statutory definitions of “data broker” can be broad, often encompassing companies that collect personal information about consumers with whom they have no direct relationship and disclose or sell that information to third parties. Companies that have not conducted a formal data broker status assessment should treat that analysis as a near-term compliance priority, particularly given the expanding obligations and accelerating pace of enforcement.

Certain data sales are subject to strict prohibitions.

A growing number of states are prohibiting the sale of precise geolocation data. Most recently, Connecticut and Virginia amended their comprehensive privacy laws to prohibit the sale of precise geolocation, joining similar prohibitions in Maryland and Oregon. The Virginia prohibition will go into effect on July 1, 2026; the Connecticut prohibition will go into effect on October 1, 2026. These prohibitions represent a substantive departure from the notice-and-choice model that is typically found in state privacy law.

Similarly, there has been an ongoing trend to restrict or prohibit the sale of minors’ data. For example, under amendments to the Connecticut privacy law that are set to take effect on July 1, 2026, controllers subject to that law are prohibited from selling a consumer’s personal data “where a controller has actual knowledge, or willfully disregards, that the consumer is at least thirteen years of age but younger than eighteen years of age.” 

These trends signal a broader shift in policymaker interest in categorical restrictions on certain sensitive data practices, rather than reliance on notice and choice or a consent framework. Companies that sell, license, or otherwise monetize sensitive data should assess whether their practices comply with these state frameworks and monitor whether other states adopt similar prohibitions.

***

Companies that collect, share, or monetize data should reassess both their data broker classification and underlying data practices now, as obligations are expanding and enforcement activity and scrutiny are likely to continue. Even if companies do not consider themselves to be “data brokers” under the common meaning of that term, it is important to check that understanding against these emerging laws – especially for businesses operating in advertising, analytics, location services, and data enrichment, whose activities may be swept into these broad frameworks.  

Wiley’s Privacy, Cyber & Data Governance team has broad experience in navigating compliance issues around cutting-edge technology and the evolving legal landscape, and handling enforcement and litigation matters. For questions about this alert, please contact the authors.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek