Four states require data brokers to register. Many brokers do not. The gap is where the danger lives.

What's happening

Four states have data broker registration laws on the books.

• California (effective 2020 under the Data Broker Registration Act, expanded 2024 under the Delete Act)
• Vermont (effective 2019, the first such law in the country)
• Oregon (effective 2024)
• Texas (effective 2024)

Each requires any business that fits the state's definition of "data broker" to register with a state agency. Pay an annual fee. Disclose certain practices. In California's case, also accept consumer deletion requests through the state-run DROP platform.

The promise of these laws was straightforward. Force brokers into the daylight, then let consumers see who has their data and demand deletion. A platform like DROP is genuinely useful when it works. As of January 2026, more than 155,000 California consumers had used DROP to submit deletion requests covering registered brokers.

The catch is registration compliance.

Brokers that fail to register are not bound by the consumer-deletion machinery in any practical way. The state can fine them when caught. Catching them requires the state agency to know they exist.

Privacy Rights Clearinghouse ran an analysis in June 2025 of broker registration in Vermont and Oregon. They found significant non-compliance. Brokers operating multiple trade names registered under one and sold under others. Brokers exploiting the "knowingly" knowledge requirement in California and Vermont (the broker only owes a duty to register if it "knowingly" trades in personal information). Brokers below revenue or volume thresholds in California (which has thresholds) operating without registering, even though Oregon and Vermont have no equivalent thresholds.

The California Privacy Protection Agency responded. In November 2025, the CPPA announced a Data Broker Enforcement Strike Force. In December 2025, it issued Enforcement Advisory No. 2025-01, warning brokers operating in California to register and detailing the agency's enforcement posture.

The advisory is a useful warning shot. It is not a fix.

Why this matters for first responders

Cops who hear about California's Delete Act or Vermont's broker law often assume that one consumer-side deletion request reaches every broker that has their data. That is what the Delete Act is designed to do. In a clean compliance environment it would work that way.

The compliance environment is not clean.

Three categories of broker create risk for officers and slip past registration.

1. Foreign-owned brokers. A broker incorporated in the EU, India, or elsewhere that sells US data to US buyers can be hard for state regulators to reach. Some register voluntarily. Many do not.

2. B2B-only brokers. Brokers like Accurint, TLOxp, and Pipl sell investigative-grade lookups to credentialed users (insurance investigators, private investigators, debt collectors, sometimes law enforcement). Their public-facing footprint is small. They argue they are not "data brokers" under the consumer-facing definitions in California and Vermont, even though they aggregate the same kinds of personal data. Some have registered. Some have not. Their lookups are the most dangerous to officers because the records are deeper and the buyers include investigators who can be paid to dox someone.

3. Small people-search sites. The long tail of cheap consumer-facing broker pages, often run by one or two people, often hosted offshore. Each one is small enough to fly under thresholds and rules. Together they make up a meaningful portion of the broker pages a cop's name will appear on.

The Vermont and Oregon laws have no minimum threshold. Every broker, regardless of size, is supposed to register. The Privacy Rights Clearinghouse June 2025 analysis found enough non-registration to suggest the laws are under-enforced.

California has a revenue threshold. Some brokers structure their entities to stay below it.

Both California and Vermont have "knowingly" requirements. A broker that argues it doesn't "knowingly" sell to a buyer who will use the data for harassment can try to claim it owes no duty.

Where this stands as of April 2026

The numbers and milestones worth tracking.

• California DROP platform. 155,000+ consumers as of January 2026. The platform covers all registered brokers in California. A single submission triggers deletion across all of them, refreshed every 45 days.
• CPPA Data Broker Enforcement Strike Force. Announced November 2025. Active enforcement program targeting non-registered brokers and brokers that are out of compliance with deletion duties.
• Enforcement Advisory No. 2025-01. Issued December 17, 2025. Detailed guidance on which entities qualify as data brokers, what counts as "knowingly," and what penalties apply.
• Privacy Rights Clearinghouse Vermont and Oregon analyses. Documented non-compliance in both states. The Vermont letter (June 24, 2025) is the most-cited public document on the gap.
• Oregon's law has only been in effect since January 1, 2024. The compliance picture is still settling.
• Texas's law went live in 2024 with a state-run portal that is less mature than California's DROP.

The DROP platform works for what it covers. The challenge is that what it covers is a subset of the brokers that touch officer data.

What this means for an officer's protection plan

Three takeaways.

1. Use DROP if you live in or have ties to California. It is free, gov-backed, and reaches every broker that registered. As of late 2025, more than a thousand brokers were on the registry. Submitting one form triggers deletion across all of them. That is a real win.

2. Do not rely on DROP alone. The brokers that are most dangerous to officers (the B2B investigative tier and the foreign small fry) are exactly the brokers least likely to be on the registry. You still need direct opt-outs against those.

3. The B2B tier needs its own approach. Accurint, TLOxp, Pipl, and similar tools are not consumer-facing and do not have public opt-out forms. Suppression requires either a sworn statement to LexisNexis under specific protocols or a state-law mechanism like Daniel's Law that reaches commercial aggregators. Many cops do not know the B2B tier exists. It does. It is the tier most often used in investigative doxxing.

What an officer should do

In order of impact.

1. If you live in California, register on DROP. It is free. It takes ten minutes. It covers the registered brokers automatically and refreshes every 45 days. See the California AG's DROP page for instructions.

2. File direct opt-outs against the consumer-facing brokers that are likely non-registered or operating in states with weaker registration enforcement. Spokeo, Whitepages, BeenVerified, TruePeopleSearch, and similar. Each one accepts an opt-out form.

3. For the B2B tier, request suppression from Accurint and TLOxp directly. LexisNexis (parent of Accurint) has a law-enforcement suppression process that requires verification of officer status. Pipl has a similar process. None of these are advertised.

4. Daniel's Law if you live in NJ, FL, or NE. Daniel's Law applies to all commercial aggregators including the B2B tier, with statutory damages for non-compliance. See our Daniel's Law page.

5. For everyone else, paid removal services or a service like FrontlinePrivacy that knows the registered, the unregistered, and the B2B brokers. We work all three tiers.

What to watch

• CPPA enforcement actions. The Strike Force will start naming non-compliant brokers in 2026. The first few enforcement actions will set the floor.
• New York and Massachusetts. Both have broker-registration bills active. New York's S9088 (introduced January 30, 2026) is the closest analog to California's Delete Act so far.
• Vermont legislative response. The state is considering raising penalties for non-registration after the PRC analysis. Vermont H.211 (2026) is the relevant bill.
• Federal preemption. The broker trade groups are pushing for a federal registration regime that would preempt state laws. So far no traction.

The state registration laws are good policy. The compliance gap is real. Plan around both.