WASHINGTON, Data brokers collect, aggregate, and sell personal information on hundreds of millions of Americans, purchasing histories, precise location records, financial inferences, health signals, without any direct relationship with the individuals whose data they monetize. No comprehensive federal law requires data brokers to register, disclose their practices, or honor consumer deletion requests. That gap defines the central unresolved problem in U.S. privacy policy.
What the Industry Looks Like
The data broker market operates largely outside the consumer’s line of sight. Acxiom, a subsidiary of Interpublic Group, maintains records on approximately 2.5 billion consumers globally. LexisNexis Risk Solutions (RELX PLC) supplies data to government agencies, insurers, and financial institutions. Oracle Data Cloud, Epsilon, CoreLogic, and Equifax’s IXI division round out the top tier of a market analysts estimate at more than 00 billion globally.
Profiles routinely combine offline purchase records, online behavioral data, public records, and third-party enrichment data in ways consumers cannot anticipate. Inferred categories: estimated income bracket, health condition likelihood, political affiliation, are bought and sold without the underlying individuals ever consenting to that classification. Military personnel location data sold by brokers has been documented reaching foreign intelligence services. Precise location histories have exposed the addresses of reproductive health clinics, domestic violence shelters, and houses of worship.
Federal Statutes: What Applies and What Does Not
The Fair Credit Reporting Act (15 U.S.C. § 1681, enacted 1970) covers consumer reporting agencies when data is used for credit, employment, housing, or insurance decisions. A data broker selling profiles to marketers, political campaigns, or law enforcement falls outside that definition. FCRA’s access, dispute, and accuracy rights do not apply to most data broker transactions.
The FTC settled with Spokeo Inc. in 2012 for 00,000 after the company marketed consumer profiles to HR departments and recruiters without FCRA compliance. The settlement established only that Spokeo had positioned its product for FCRA-covered uses while evading its obligations, a broker selling identical profiles to a direct-mail company faces no FCRA liability at all. The Gramm-Leach-Bliley Act (15 U.S.C. § 6801) governs how financial institutions share customer data; it does not reach brokers that compile financial inferences from non-financial sources downstream. Section 5 of the FTC Act (15 U.S.C. § 45) prohibits unfair or deceptive practices but does not authorize the FTC to mandate registration, transparency disclosures, or consumer deletion rights absent a specific statutory hook.
CFPB Rulemaking: Proposed and Withdrawn
The most significant recent attempt to close the federal gap came from the Consumer Financial Protection Bureau. On December 13, 2024, the CFPB published a proposed rule, “Protecting Americans from Harmful Data Broker Practices (Regulation V)”: that would have redefined key FCRA terms to capture brokers selling data used in credit, employment, housing, and insurance determinations.
The rule did not survive the change in administration. On May 14, 2025, the CFPB withdrew the proposal, stating rulemaking was “not necessary or appropriate at this time.” The Bureau cited commenters’ concerns about the rule’s alignment with the FCRA and the agency’s statutory authority, and noted its interpretation of relevant FCRA definitions was under revision. The withdrawal left the FCRA’s boundary with the data broker industry exactly where it stood in 2024, defined by a 1970 statute written for credit bureaus, not algorithmic profiling companies.
California’s Delete Act: The State-Level Benchmark
California enacted the most operationally demanding state data broker framework in the country. The California Delete Act (SB 362, signed October 2023, Cal. Bus. & Prof. Code § 1798.99.80) required the California Privacy Protection Agency to build a single deletion mechanism, the DELETE Request and Opt-Out Platform, or DROP, through which any California consumer could submit one request covering every registered broker simultaneously.
The DROP launched January 1, 2026. As of that date, 545 data brokers were registered with the CPPA; annual registration fees are set at ,000. Data brokers must access the DROP at least every 45 days beginning August 1, 2026, to retrieve and process consumer deletion requests. Three-year audit cycles begin January 1, 2028. The CPPA had reached five published settlements with data brokers for Delete Act violations: including failures to register and failures to process deletions, by May 2026, signaling active enforcement intent.
Vermont’s 2018 data broker registration law (Act 171) was the first in the country; roughly 200 brokers are registered there. Oregon, Texas, and Colorado include data broker provisions within their comprehensive privacy laws, but none has created a centralized deletion mechanism comparable to the DROP. For context on how state privacy frameworks interact with the federal legislative gap, see the U.S. Data Privacy Law guide.
The Federal DELETE Act: Introduced, Not Enacted
Congress has introduced a federal analog to California’s framework in successive sessions. The Data Elimination and Limiting Extensive Tracking and Exchange Act, the DELETE Act, would create a national data broker registry at the FTC and a centralized deletion mechanism. Reintroduced in the 119th Congress as S. 1287 and H.R. 2612, both bills were referred to committee and had not advanced to a floor vote as of May 2026.
The bill would require brokers to register with the FTC within 18 months of enactment, publish data category disclosures, and honor deletion requests submitted through a central platform. Enforcement would rest with the FTC. The bill does not create a private right of action. The primary legislative obstacle is preemption: any federal data broker regime that supersedes California’s Delete Act would face opposition from the CPPA and California’s political leadership: the same dynamic that defeated both the American Data Privacy and Protection Act and the American Privacy Rights Act in the previous two Congresses.
FTC Enforcement Without Legislation
FTC action against data brokers accelerated in 2024. Four enforcement actions targeted location data brokers: X-Mode Social/Outlogic (January 2024), InMarket Media (January 2024), Gravy Analytics/Venntel (December 2024), and Mobilewalla (December 2024). Each order permanently barred the respondent from selling precise location data about consumers visiting sensitive locations, reproductive health clinics, houses of worship, mental health facilities. Litigation against Kochava remained pending in the District of Idaho as of early 2025.
In February 2026, the FTC issued warning letters to 13 data brokers whose products appeared to involve sales of sensitive personal data to foreign government-linked entities. Warning letters are not enforcement actions, but they signal potential investigations. Acting Chair Andrew Ferguson, elevated January 2025, has indicated preference for enforcement under established statutory theories, COPPA and GLBA, over expansive Section 5 unfairness theories, narrowing the practical reach of agency action in the current term.
Section 5 cannot deliver the structural obligations that a data broker registry would impose. The FTC can sue a broker that misrepresents its practices. It cannot require registration, mandate transparency disclosures, or compel a broker to honor a deletion request absent a deception or unfairness hook. Without the DELETE Act or comparable legislation, federal data broker oversight remains a series of individual enforcement actions rather than a systemic framework — while California operates the nation’s most functional registry and the federal government operates none.