How do data brokers collect and sell personal information, and what regulations govern them?

1. How data brokers collect personal information: a patchwork of sources

Data brokers compile profiles from a wide variety of feeds: commercial purchase histories, public records, mobile apps and SDKs that relay telemetry and location, third‑party cookies and other tracking pixels that follow users across sites, and purchases of other firms’ datasets—methods that let brokers infer sensitive traits and real‑time location ^{[1] [4] [5]}.

2. How those raw pieces become commercial products: aggregation, enrichment and resale

Brokers match identifiers, normalize fields and enrich records with demographic and behavioral signals to produce saleable audiences, risk scores and person‑level dossiers that can be licensed to advertisers, data brokers’ downstream customers and other third parties—transactions that are routine and often opaque to the individual whose data is traded ^[1].

3. The scale and harms regulators and advocates cite

Privacy groups warn the industry operates with “virtually no oversight,” enabling widespread collection of sensitive data and real‑time location that pose privacy, civil‑rights and national‑security risks; scholars and advocates argue this industrialized market for personal data concentrates power and creates opportunities for misuse ^[1]. Enforcement sweeps and FTC actions have targeted specific practices, reflecting regulators’ concerns about harm and lack of transparency ^[6].

4. California’s new regime: registration, DROP and deletion sweeps

California’s Delete Act and CPPA rules require data brokers to register annually, pay fees, report data‑subject metrics, and be ready to process consumer deletion requests through the Delete Request and Opt‑Out Platform (DROP), which goes live for consumers January 1, 2026 and must be polled by brokers every 45 days beginning August 1, 2026; non‑registration can trigger administrative fines of about $200 per day ^{[2] [3] [7] [8] [9]}. SB 361 expanded disclosure obligations to include whether brokers collect sensitive attributes such as sexual orientation, union membership or citizenship status ^[3].

5. How the new rules change who counts as a broker—intent matters

Regulations tighten the definition of “data broker” by focusing on whether a business “knowingly collects and sells” data about consumers without a direct relationship, and clarify that mere collection does not create a direct relationship unless the consumer intentionally interacted with the business—thus bringing third‑party cookie providers, analytics SDKs embedded in apps, and other indirect collectors within scope ^{[6] [4] [5]}.

6. What remains unregulated and the wider legal patchwork

Advocates and observers note there is no comprehensive federal law that regulates data brokers industry‑wide, so state laws like Vermont, Texas and Oregon join California in filling gaps while federal action lags; privacy groups argue federal baseline legislation is necessary to curb nationwide practices such as sales of location and sensitive data ^[1]. Meanwhile, industry counsel warn that technical challenges—matching thresholds, privacy‑preserving technologies and operational integration with DROP—create compliance burdens and potential friction with advertising ecosystems ^{[10] [11]}.

7. Stakes, incentives and likely next moves

The incentives driving brokers—monetizing attention and profiles—clash with regulators’ push for transparency and deletion mechanisms, so companies are auditing relationships, preparing DROP accounts, and re‑classifying entities to avoid penalties while enforcement advisories explicitly warn against “hiding the ball” through shell trade names or affiliates ^{[5] [9] [12]}. Expect more state rulemaking, targeted enforcement and industry efforts to negotiate technical standards for matching and opt‑out workflows ahead of the 2026 enforcement milestones ^{[13] [10]}.