Subscribe
grayscale photography of man doing backflip

Hundreds of Data Brokers Are Dodging State Registration Laws

A new investigation from the Electronic Frontier Foundation and Privacy Rights Clearinghouse1 caught my attention this week. They found that hundreds of data brokers are systematically avoiding state registration requirements. The numbers tell the story: 291 companies failed to register in California, 524 in Texas, 475 in Oregon, and 309 in Vermont.

The Registration Dodge

Data broker registration laws exist for a reason. They create transparency about who’s collecting and selling personal information. They provide consumers with a means to locate these companies and exercise their privacy rights. When brokers dodge registration, they operate in the shadows.

The EFF research shows companies playing jurisdictional games. A broker might register in California but skip Texas, even though they’re doing the same business in both states. Or they’ll register as one entity while operating subsidiaries that should also be registering.

This isn’t an oopsie. It’s intentional, systematic evasion.

Why This Should Matter to Marketers

I’ve spent years advocating for consent-based email marketing2 because it works better and carries fewer risks.3 This data broker investigation reinforces exactly why purchased lists and data appending remain problematic strategies.

When you work with an unregistered data broker, you’re working with a vendor that’s already shown they’ll cut corners on compliance. That tells you something about their ethics and their approach to data collection.

If that broker collected data through deceptive practices or can’t demonstrate valid consent, you’ve inherited those problems. When consumers file complaints or attorneys general start investigating, the investigation likely starts with you, not your vendor. The complaints will initially come to you, and consumers will only learn about the data broker if you inform them who that is.

What You Can Do About It

First, if you’re still buying lists or appending data, stop. The risks keep growing while the benefits keep shrinking. Consent-based strategies consistently outperform purchased data on engagement metrics while eliminating these compliance headaches entirely.

If you’re not ready to make that jump yet, at least verify your vendors’ registration status and ask about it in your RFPs. California maintains a searchable registry of data brokers.4 Texas has one, too.5 Oregon6 and Vermont7 have their own systems. Check them regularly, not just during onboarding.

Look for vendors who are registered in each state where they operate. A company that registers everywhere it is required to do so is more likely to take other compliance requirements seriously.

The Bigger Picture

This investigation reveals an important aspect of the data broker industry: despite increasing legislative attention and consumer demand for transparency, hundreds of companies continue to take steps to circumvent regulation.

But, state enforcement is ramping up. The EFF and Privacy Rights Clearinghouse just handed regulators a roadmap for finding non-compliant companies.

Savvy email marketers will get ahead of this trend rather than scrambling to react when enforcement actions start hitting their vendors.

The Consent-Based Alternative

Here’s what I keep coming back to: consent-based email marketing avoids all of these problems. When you build your list through direct subscriber interaction, you control the compliance story from start to finish. You know how the data was collected. You have documentation of consent. You can respond to consumer requests.

The data is of higher quality because people want to hear from you. The engagement rates are better because you’re reaching interested audiences. And you sleep better at night because you’re not wondering whether your list vendor is about to get hit with an enforcement action.

Companies like Growbots and UpLead learned this lesson the hard way just last year.8 California fined them over $30,000 each for failing to register as data brokers. Any email marketer using their services probably wasn’t expecting to inherit vendor compliance problems when they signed those contracts.

Moving Forward

EFF’s data broker registration findings underscore the importance of vendor due diligence in email marketing. But more importantly, it demonstrates why building your consent-based audiences remains the most sustainable approach.

Registration evasion is just one red flag. If a vendor won’t register with state authorities, what other compliance shortcuts are they taking? How confident are you in their data collection practices? Can they demonstrate valid consent for the data they’re selling you?

These questions will become increasingly difficult to answer as regulatory scrutiny intensifies. The easier path is building an audience that wants to hear from you.

Footnotes

  1. Mario Trujillo and Hayley Tsukayama, Why Are Hundreds of Data Brokers Not Registering with States?, Electronic Frontier Foundation (Jun. 24, 2025), https://www.eff.org/deeplinks/2025/06/why-are-hundreds-data-brokers-not-registering-states. ↩︎
  2. Mickey Chandler, Gold Lasso Email Marketing Anti-Spam Policy, Spamtacular (Nov. 7, 2007), https://www.spamtacular.com/2007/11/07/gold-lasso-email-marketing-anti-spam-policy/ (“Our clients do control their lists, and sometimes they screw up. But they quickly get back on board precisely because there’s someone like me around who enforces our policies and who can (and will) shut off the mail flow until they find religion.”). ↩︎
  3. Mickey Chandler, Why an Opt-out Opt-in Doesn’t Really Work, (Aug. 17, 2011), https://www.spamtacular.com/2011/08/17/opt-opt-doesnt-really-work/. ↩︎
  4. State of California, Data Broker Registry – California Privacy Protection Agency (CPPA), https://cppa.ca.gov/data_broker_registry/ (last visited Jun. 27, 2025). ↩︎
  5. Texas Secretary of State, Registered Data Brokers – Data Broker, https://texas-sos.appianportalsgov.com/data-broker-registry (last visited Jun. 27, 2025). ↩︎
  6. State of Oregon, Data Broker Registry, Division of Financial Regulation, https://dfr.oregon.gov/business/licensing/data-broker-registry/Pages/index.aspx (last visited Jun. 27, 2025). ↩︎
  7. State of Vermont, Data Broker Search, Business Services Division, https://bizfilings.vermont.gov/databrokersearch/Search (last visited Jun. 27, 2025). ↩︎
  8. State of California, CPPA Settles With First Set of Data Brokers, (Oct. 30, 2024), https://cppa.ca.gov/announcements/2024/20241114.html. ↩︎

Picture of Mickey

Mickey

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.