US Data Broker Registration Laws & the Delete Act
As of 2026, four US states require data brokers to register with a state agency: California (with the California Privacy Protection Agency), Texas (Secretary of State), Oregon (Department of Consumer and Business Services), and Vermont (Secretary of State). The headline development is California's Delete Act (SB 362 of 2023), which builds on California's existing data broker registry to create a single, statewide deletion tool, so a California consumer can ask every registered broker to delete their data in one request.
That tool is the Delete Request and Opt-out Platform, or DROP, run by the California Privacy Protection Agency. As of 2026, the DROP is live for consumers, and registered data brokers must begin honoring deletion requests submitted through it later in the year, turning a once broker-by-broker chore into one universal opt-out.
Jurisdiction scope: This covers US state data broker registration laws (California, Texas, Oregon, Vermont) and the California Delete Act. It is general legal information, not legal advice.
What a data broker is
A data broker is, in plain terms, a company that builds and sells profiles of people it has never directly dealt with. The recurring statutory thread across all four registration states is the absence of a direct relationship: the broker collects personal information about consumers and then sells or licenses it to third parties, even though those consumers are not its customers.
Vermont, which wrote the first such law, defines a data broker at 9 V.S.A. ch. 62 as a business or unit of a business that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. California uses nearly the same formulation. Under Civil Code section 1798.99.80, a data broker is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
Oregon frames the same idea around brokered data. Under ORS 646A.593, a data broker is a business, or part of a business, that collects and sells or licenses brokered personal data about a resident with whom the business does not have a direct relationship. "Brokered personal data" includes data points such as name, address, date or place of birth, Social Security or other government identifier, and biometric information when organized for sale or licensing.
Texas takes a different angle. Under Business and Commerce Code section 509.001, a data broker is a business entity whose principal source of revenue is derived from collecting, processing, or transferring personal data that the entity did not collect directly from the individual. That revenue test means a Texas data broker is defined less by the direct-relationship language and more by how central data resale is to its business model.
The practical effect is the same in every state. People-search sites, list compilers, marketing-data vendors, and many ad-tech and identity-resolution companies tend to fall inside these definitions, while a retailer selling its own customer list usually does not, because that retailer has a direct relationship with the people in the list.
The four states that require data broker registration
As of 2026, registration laws exist in Vermont, California, Oregon, and Texas. Each requires brokers to identify themselves to a state agency, pay an annual fee, and provide basic information so consumers and regulators can find them. The table below summarizes the four, and a separate subsection for each follows.
| State | Statute | Agency | Effective | Registration deadline | Fee / penalty |
|---|---|---|---|---|---|
| Vermont | 9 V.S.A. ch. 62 (Act 171 of 2018) | Secretary of State | 2018 / 2019 | Annually, Jan 1 to Jan 31 | $100 fee; $50/day, max $10,000/year |
| California | Civil Code 1798.99.80 et seq. (AB 1202; SB 362 Delete Act) | Privacy Protection Agency | 2020; DROP live Jan 1, 2026 | On or before Jan 31 | Agency-set fee; $200/day to register; $200/request/day under Delete Act |
| Texas | Bus. & Com. Code ch. 509 (SB 2105 of 2023) | Secretary of State | Sept 1, 2023 (applies on/after Dec 1, 2023) | Annual | $300 fee; min $100/day plus fees, max $10,000 per 12 months |
| Oregon | ORS 646A.593 (HB 2052 of 2023) | Dept. of Consumer and Business Services | Jan 1, 2024 | Annual | $600 fee; up to $500/day, max $10,000/year |
Vermont: the first data broker law (9 V.S.A. ch. 62)
Vermont enacted the country's first data broker registration law as Act 171 of 2018. The data broker provisions are codified at 9 V.S.A. chapter 62, with the annual registration requirement at section 2446. Brokers register with the Vermont Secretary of State annually, between January 1 and January 31, for each year in which the business met the definition of a data broker.
The registration fee is $100. A broker that fails to register is liable to the State for a civil penalty of $50 for each day it is not registered, not to exceed $10,000 for each year, plus an amount equal to the fees due during the period it failed to register. Enforcement runs through the Vermont Attorney General, and a failure to register can be treated as an unfair and deceptive act under Vermont's consumer protection law. Vermont also requires registered brokers to provide certain disclosures, including information about how consumers can opt out where the broker offers that option.
California: AB 1202 registry plus the Delete Act (Civil Code 1798.99.80 et seq.)
California created its data broker registry through AB 1202 of 2019, codified at Civil Code section 1798.99.80 and following. Under section 1798.99.82, a data broker must register with the state on or before January 31 following each year in which it met the definition, and pay a registration fee. The registry was originally administered by the Attorney General and is now run by the California Privacy Protection Agency. A broker that fails to register is liable for a civil penalty of $100 for each day it fails to register, plus the fees it should have paid.
California then went much further than any other state with the Delete Act, SB 362 of 2023, which is covered in detail in the next section. The Delete Act layered a universal deletion mechanism on top of the existing registry and moved oversight of the registry to the California Privacy Protection Agency. As of 2026, a California data broker must both appear in the registry and be prepared to honor deletion requests routed through the state's central platform.
Texas: Secretary of State registration (Bus. & Com. Code ch. 509)
Texas adopted its data broker law as SB 2105 of 2023, codified at Business and Commerce Code chapter 509. The Act took effect September 1, 2023, and applies to the collection, processing, or transfer of personal data by a data broker on or after December 1, 2023. Brokers register annually with the Texas Secretary of State, and the first registration period ran with a deadline in early 2024.
The registration fee is $300. The civil penalty for noncompliance must be at least the total of $100 for each day the entity is in violation plus the unpaid registration fees for each year it failed to register, but the total assessed against a single broker may not exceed $10,000 in any 12-month period. The statute also imposes data security duties on brokers, separate from the registration obligation.
Oregon: registration with DCBS (ORS 646A.593)
Oregon became the fourth registration state through HB 2052 of 2023, codified at ORS 646A.593. The requirement took effect January 1, 2024. Brokers register with the Oregon Department of Consumer and Business Services, which administers the registry through its Division of Financial Regulation.
The registration fee is $600, with a $600 renewal. As part of registering, a broker must describe the methods consumers can use to opt out of the collection, sale, or licensing of their personal data. The Department may impose a civil penalty of up to $500 per violation, and for a continuing violation, $500 for each day it continues, with total penalties capped at $10,000 in any calendar year.
The California Delete Act and the DROP universal-delete tool
The Delete Act, SB 362 of 2023, is the centerpiece of US data broker regulation as of 2026. Before it, opting out of data brokers meant finding each broker, locating its opt-out page, and submitting a separate request, often dozens of times, with no guarantee the data stayed deleted. The Delete Act replaces that with a single point of contact.
The law directs the California Privacy Protection Agency to build and operate the Delete Request and Opt-out Platform, known as the DROP. Through the DROP, a California consumer can make one request to delete the personal information held by every data broker registered with the state. Brokers do not pick which requests to honor; they must check the platform and process the deletion requests that match their records.
The timeline is set by statute and agency rule. As of 2026, the DROP is live: consumers can begin submitting deletion requests on January 1, 2026. Registered data brokers must begin processing those DROP requests on August 1, 2026. From that date, a broker must access the DROP at least once every 45 days, delete the personal information of any consumer whose request matches the broker's records unless an exemption applies, and direct its service providers and contractors to do the same. Brokers must report the status of each request in the DROP, generally within 45 days of retrieving it.
The enforcement teeth are significant. Under Civil Code section 1798.99.86, a registered data broker that fails to comply is liable for administrative fines of $200 for each deletion request for each day the broker fails to delete information as required. Because a single consumer request can sit unhonored day after day, and because the platform handles requests at scale, that per-request, per-day structure can compound quickly. The Delete Act also layers in independent audits of brokers on a recurring cycle, adding a compliance-verification requirement on top of registration and deletion.
The DROP matters beyond California. It is the first government-run, broker-agnostic deletion system in the country, and it gives California residents leverage that consumers in other states do not yet have. Companies that register in California must therefore engineer their systems to receive and act on centralized deletion requests, not just maintain their own opt-out pages.
How registration differs from comprehensive privacy laws
It is easy to conflate data broker registration with the broader wave of state privacy laws, but they are distinct, and the difference matters. A comprehensive consumer privacy law, such as California's CCPA or the privacy acts in states like Texas, Oregon, Virginia, and Colorado, regulates how almost any covered business handles personal data. It grants consumers rights to access, correct, delete, and opt out, and it imposes duties like data minimization, purpose limitation, and honoring universal opt-out signals.
A data broker registration law is narrower and additive. It targets a specific category of business, the broker with no direct relationship to the people it profiles, and its core requirement is a transparency step: identify yourself to the state, pay a fee, and appear on a public list. Registration does not, by itself, create the full suite of consumer rights that a comprehensive law does. It mainly makes brokers visible.
This is why some states overlap. Texas and Oregon have both a comprehensive privacy law and a separate data broker registration requirement; a Texas broker can be subject to the comprehensive Texas Data Privacy and Security Act and to Chapter 509 registration at the same time. California similarly runs the broad CCPA framework alongside its registry and the Delete Act. Vermont, by contrast, had a data broker registry for years before it enacted a comprehensive privacy law, showing that registration can exist on its own.
For consumers, the takeaway is that registration laws are the reason a public, searchable list of brokers exists in these four states, and in California, the reason a universal deletion tool now exists. The substantive rights to delete or limit data still flow largely from the comprehensive laws and, in California, from the Delete Act built on top of the registry.
What consumers can do
As of 2026, the strongest consumer tool is California's DROP. A California resident can submit a single deletion request through the state platform and reach every broker registered with the California Privacy Protection Agency, rather than chasing each company individually. Residents of other states do not have an equivalent universal tool yet, but the public registries still help.
In all four registration states, the registry is public, so a consumer can look up which brokers have registered and find the contact and opt-out information each broker is required to provide. Vermont and Oregon both require brokers to describe how consumers can opt out, and that information appears with the registration. From there, a consumer can use each broker's own opt-out process, and in California can rely on the DROP instead.
Beyond the registration states, consumers can still exercise deletion and opt-out rights under whatever comprehensive privacy law applies where they live, and can submit individual opt-out requests to brokers directly. Our companion guide on how to opt out of data brokers walks through the step-by-step process, including the broker-by-broker route that remains the only option in most of the country. Because brokers continually re-collect data, opting out is rarely one-and-done; periodic follow-up is usually necessary, which is part of why California's recurring, platform-based model is significant.
Related guides
- Data privacy laws hub
- How to opt out of data brokers
- US state privacy laws comparison
- What is the CCPA?
Sources
Sources and References
- California Privacy Protection Agency: Data Broker Registry(cppa.ca.gov).gov
- California Civil Code 1798.99.80 et seq.: Data Broker Registration (AB 1202)(leginfo.legislature.ca.gov).gov
- California SB 362 (2023): the Delete Act(leginfo.legislature.ca.gov).gov
- CPPA: Delete Request and Opt-out Platform (DROP) Requirements(cppa.ca.gov).gov
- Texas Business and Commerce Code Chapter 509: Data Brokers(statutes.capitol.texas.gov).gov
- Texas SB 2105 (88th Legislature): Data Broker Law(capitol.texas.gov).gov
- Oregon Revised Statutes 646A.593: Data Broker Registration(oregonlegislature.gov).gov
- Oregon DCBS Division of Financial Regulation: Data Broker Registry(dfr.oregon.gov).gov
- Vermont 9 V.S.A. Chapter 62: Protection of Personal Information (Data Brokers)(legislature.vermont.gov).gov
- Vermont Act 171 of 2018: Data Brokers and Consumer Protection (As Enacted)(legislature.vermont.gov).gov