Privacy Obligations When Working with Data Brokers

Organizations that purchase or use brokered data may face significant privacy obligations, even if they are not the original collectors of the information. In this article, we explain how those obligations arise, highlight key compliance considerations across jurisdictions, including the European Union and the United States, and provide a practical checklist for organizations working with data brokers.

What Is a Data Broker?

In general terms, a data broker is a company that collects, aggregates, analyzes, and sells information about individuals to other organizations.

While there is no universally accepted legal definition of “data broker”, but several U.S. privacy laws define the term for specific regulatory purposes. For example, under California’s Delete Act, a data broker is defined as:

“a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”.

Other U.S. state laws use similar formulations, with a key distinguishing feature being that the data broker has no direct relationship with the individual whose personal data is sold.

By contrast, the GDPR does not define the term “data broker.” Rather than regulating specific business models, the GDPR focuses on the roles organizations play in processing personal data. As a result, a data broker—and an organization that purchases data from it—will be classified as a controller, joint controller, or processor depending on who determines the purposes and means of the processing.

How Data Brokerage Works?

Data brokers collect personal data from multiple sources and consolidate it into detailed profiles. Sources may include:

  • Public records and government databases
  • Partnerships with other businesses
  • Online activity tracking such as website tracking, cookie, social media scraping
  • Offline sources, such as surveys, loyalty programs, or purchase records

Brokers analyze and link data to create comprehensive individual profiles, often connecting multiple identifiers across different datasets. These profiles give businesses a more complete understanding of each consumer and are sold for targeted marketing, customer segmentation, or the personalization of products and services. While brokers collect the data, organizations that use it and determine the purposes and methods of processing may assume data controller responsibilities under GDPR and other privacy laws.

Distinctions Between Data Broker Regulation in the EU and the U.S.

Data broker regulation differs between the European Union and the United States, both in underlying legal principles and in practical obligations.

In the European Union, the GDPR applies broadly to all processing of personal data, whether by brokers, organizations that purchase brokered data, or other data controllers. Under the GDPR, any processing of personal data must have a lawful basis such as consent, legitimate interests, or contractual necessity. If an organization uses brokered data to determine the purposes and means of processing, it must identify a lawful basis, document it, and fulfill transparency, accountability, and other obligations. This includes providing detailed information to individuals when their data is collected from sources other than them, such as a broker.

By contrast, the United States does not have a single federal law that broadly regulates privacy or data brokers. Instead, there are some state-level data broker laws that require registration with a state authority and disclosures about practices, without necessarily requiring a GDPR-style lawful basis for processing personal data.

U.S.

The following four states have enacted data broker statutes with specific registration and disclosure requirements:

  • California Delete Act requires data brokers to annually register with the California Privacy Protection Agency (CalPrivacy) and to participate in the Delete Request and Opt-Out Platform (DROP). Beginning August 1, 2026, data brokers must process consumer deletion and opt-out requests submitted through DROP at least every 45 days, report on such requests, and periodically undergo third-party audits. The DROP mechanism allows a consumer to submit a single request that applies to all registered data brokers.
     
  • Texas Data Broker Act requires data brokers to register annually with the Texas Secretary of State before engaging in their brokerage activities. Brokers must disclose that they are a data broker on their websites or apps, implement a comprehensive information security program to safeguard personal data, and comply with specific training and security requirements. 
     
  • Vermont Data Broker Regulation was the first in the United States to regulate data brokers. It requires annual registration with the Vermont Secretary of State, disclosure of opt-out procedures, statements about purchaser credentialing, and reporting of security incidents. House Bill 211 has also been introduced to the Vermont House of Representatives, with proposals to strengthen these existing regulations.
     
  • Oregon Data Broker Registration Law requires data brokers to register annually with the Oregon Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data about Oregon residents. Registration includes disclosure of how individuals may opt out of data collection or sales.

EU

In the EU, data brokers fall within the scope of the GDPR, which applies to all entities that process personal data and does not differentiate data brokers from other data controllers or processors in terms of obligations. Key requirements include:

  • Lawful Basis for Processing: Any processing of personal data, including data collected from third parties such as brokers, must be supported by a lawful basis under GDPR Article 6
  • Transparency and Information Obligations: When personal data is obtained from sources other than the individual, controllers must inform the individual about the source, purposes of processing, data recipients, and data subject rights, unless specific exceptions apply (GDPR Articles 13 and 14).

Unlike U.S. state laws, the EU does not provide a “data broker registry” or statute relating to data brokers specifically. Instead, the GDPR embeds obligations within a comprehensive privacy framework that applies to all organizations processing personal data.

Checklist for Organizations Working With Data Brokers

The following checklist provides practical steps to help organizations manage brokered data responsibly, maintain transparency, and stay aligned with privacy laws:

  1. Verify the Source of the Data Collected

    Before acquiring or using personal data from a broker, organizations must understand exactly where it originates and how it was collected. This includes determining whether the data was compiled directly by the broker or sourced from another party, whether it was collected directly from individuals or through public records, marketing lists, or other channels, what privacy information was provided to individuals at the time of collection, and whether individuals provided their consent.

    The United Kingdom’s ICO emphasizes that organizations should perform due diligence when working with data brokers and maintain records of the data sources and collection methods to demonstrate accountability.
  2. Review Broker Procedures for DSRRs

    Data subject rights requests (DSRRs) are a cornerstone of privacy law. These rights allow individuals to, for example, access their personal data, correct inaccuracies, or request deletion. Data brokers are subject to these obligations in their own right and must respond to such requests within statutory timeframes that vary by jurisdiction. For example, under the GDPR, responses must generally be completed within one month, while under some U.S. state laws, including the CCPA, organizations have 45 days to respond.

    For organizations that purchase or use brokered data, DSRRs are relevant because they directly affect the accuracy, lawfulness, and reliability of the data being used. An individual may have already exercised a right to delete, correct, or object to the processing of their data with the broker or another downstream recipient. If those changes are not properly reflected in the datasets provided to or retained by your organization, you risk processing personal data that is outdated, inaccurate, or should no longer be used at all. Organizations must therefore confirm that their data broker has documented procedures for handling DSRs, including deletion, correction, and objection requests.
     
  3. Confirm Data Is Screened Against Opt-Out Registries 

    When using brokered contact data for marketing, it’s essential to confirm that the information has been screened against opt‑out registers and suppression mechanisms in the relevant jurisdictions. Many privacy and marketing laws give individuals and businesses the right to object to direct marketing and prohibit outreach where an opt-out has been registered or consent is otherwise required.

    For example, in the UK, contact data used for marketing calls must be checked against national opt-out registers such as the Telephone Preference Service (TPS) in order to comply with the Privacy and Electronic Communications Regulations (PECR). In the U.S., similar obligations apply under federal and state law, including the requirement to screen calling lists against the National Do Not Call Registry under the TCPA and the FTC’s Telemarketing Sales Rule. Similar opt-out, do-not-contact, or suppression requirements exist in other jurisdictions and must be taken into account when using brokered data for marketing activities.

    Even if a data broker performs these checks, your organization is still responsible for ensuring the data is compliant. This means confirming that screenings are done regularly, keeping documentation to show the process, and understanding how the broker updates their lists.
  4. Confirm a Lawful Basis for Using Brokered Data

    When purchasing personal data from a broker, your organization remains legally responsible for how that data is used. Where the GDPR applies, this includes identifying and documenting an appropriate lawful basis for each intended purpose of processing.

    For example, in the UK under the Privacy and Electronic Communications Regulations (PECR), and in EU Member States under national laws implementing the ePrivacy Directive, certain forms of electronic marketing generally require prior consent, subject to limited exceptions such as the “soft opt-in”, in addition to a lawful basis under the GDPR.

    Accordingly, organizations should verify whether brokered data intended for marketing was collected in a manner that supports the required consent or other applicable legal conditions. Reliance solely on a broker’s assurances is not sufficient; organizations should maintain appropriate documentation and traceability to demonstrate compliance and accountability if challenged by regulators.
  5. Ensure Consumers Are Notified of Data Sharing

    In some jurisdictions, including the EU and the U.S., organizations must notify individuals when their data is sold or shared with third parties. This includes explaining what data was shared, for what purpose, and with whom. Your organization must verify that the broker provided proper notification to consumers and that the privacy notices reflect these practices accurately.
  6. Check Broker Registration and Regulatory Compliance

    In some jurisdictions, data brokers must register with regulatory authorities. For example, in California, brokers that collect and sell personal information about individuals they don’t have a direct relationship with must register annually with the California Privacy Protection Agency and appear on the official Data Broker Registry. This registration confirms they meet disclosure obligations and handle consumer deletion requests via the DROP system every 45 days.

    Verifying broker registration helps your organization build confidence in the reliability and transparency of your data partners and ensures that your internal processes align with established regulatory standards.

Conclusion

Working with data brokers offers valuable insights and potential for business growth but also creates important privacy obligations. In the U.S., compliance focuses on registration, disclosure, and opt-out mechanisms, while in the EU, organizations must have a lawful basis for processing, ensure transparency, and maintain accountability.

By understanding these requirements and implementing clear processes for data subject requests and due diligence, organizations can use brokered data responsibly and reduce legal risk. VeraSafe provides guidance and support to help organizations navigate these obligations with confidence.

Monthly Newsletter

You may also like: 
How Organizations Can Prepare for U.S. Privacy Laws in 2026  
Mental Privacy in Neurotech and the Growing Risk for Organizations  
Seven Privacy Compliance Challenges Every Franchise Must Address in 2026

Related Topics: Compliance Tools and AdviceEU Privacy Laws, Other Privacy Laws, US Privacy Laws

Contact VeraSafe to discuss your data security management and privacy program today.

Get a Quote Now

Related Posts