March Privacy Forecast: New Data Broker Laws and Regulations

This week in our March Privacy Forecast, we discuss a growing trend at both the federal and the state level – new laws and regulations that specifically target data brokers.

Federal-Level Data Broker Laws and Regulations

At the federal level, two new legal frameworks have direct implications for data brokers. First, the Protecting Americans’ Data From Foreign Adversaries Act (PADFA) – which went into effect on June 23, 2024 – generally prohibits “data brokers” from selling, licensing, or transferring for consideration an American’s “personally identifiable sensitive data” to certain “foreign adversary” countries (i.e., China, North Korea, Russia, and Iran) or to any entity “controlled” by those foreign adversary countries. Second, the new Department of Justice rule on cross-border data transactions – which is set to take effect on April 8, 2025 – includes strict prohibitions on data brokerage, which is defined more broadly than under PADFA to include “the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.”

Additionally, in December 2024, the Consumer Financial Protection Bureau (CFPB) attempted to regulate certain data broker practices, via a Notice of Proposed Rulemaking (NPRM), under the Fair Credit Reporting Act (FCRA). As we previously detailed, the NPRM proposes, among other things, to amend the definitions of “consumer report” and “consumer reporting agency” to cover a broader range of activity than is currently covered under the law. Following the change in Administration, the CFPB has extended the time for comment, but has not withdrawn the NPRM. This leaves open the possibility that new CFPB leadership may pursue at least some proposals to restrict data broker practices under the FCRA. 

State-Level Data Broker Laws

A number of states, including California, Oregon, Texas, and Vermont, have enacted data broker laws that govern the collection and sale of certain consumer data. Under these laws, data brokers are typically defined as companies that sell or otherwise transfer consumers’ personal information, where the company does not have a direct relationship with the consumer. While each of these laws is distinct, general requirements on data brokers include registering with the state, providing details about their data collection and processing activities, and implementing reasonable security measures to safeguard personal information. States such as California and Texas are taking action against data brokers for failing to register through investigative sweeps, fines, and settlements, indicating a proactive approach to compliance.

Other states are adopting laws designed to protect certain public officials, which can impact data brokers. For example, New Jersey’s “Daniel’s Law” allows judges, prosecutors, police officers, correctional officers, and their immediate family members to request in writing that any company or entity not disclose their home addresses or unpublished telephone numbers, and requires entities to comply with such requests within 10 days. This law has resulted in a wave of litigation, with numerous lawsuits filed against data brokers and other businesses that allegedly fail to comply with the requirements of the law. Following in New Jersey’s footsteps, several states including Maryland, New York, and Wisconsin have enacted similar laws.

***

Due to the evolving federal and state landscape, companies that sell data should carefully assess whether and how these data broker laws may apply to them and develop appropriate compliance strategies.

Please stay tuned for our final article in this March Privacy Forecast series, which will be published on Friday, March 28.