More Companies Are in Scope for State Data Broker Laws 

By Sam Castic 

New and amended data broker laws make more companies that collect and disclose personal data subject to state data broker laws.  Last week New Jersey enacted a unique new data broker and data collector law, and Connecticut enacted (and then amended) one last month.  With Vermont's recent expansion of its law, and California regulation changes that took effect this year, there are some emerging scope expansions for these laws that all companies that collect and disclose personal data should be aware of. 


1. Organizations that disclose data they collect about customers, or collect directly from data subjects, can now be subject to data broker laws.   

California started this trend by clarifying that companies can be data brokers when they sell personal information they did not collect from data subjects, even if they have a first-party relationship with those data subjects.  Connecticut, New Jersey, and Vermont have followed with laws that can apply to companies that sell or license data they collect directly from data subjects, or that relates to data subjects they have a first-party relationship with.  As if to underscore this requirement, New Jersey's new law applies expressly to both "data collectors" and to "data brokers", with data collectors including companies that have direct relationships with the data subjects whose personal data is sold or licensed to a data broker. 

Organizations doing any of the following should assess whether their practices are in-scope for these new requirements: 

  • Any organization using advertising cookies or tracking technologies on websites or apps, 

  • Adtech companies disclosing data to enable advertising, and 

  • Any entity that takes the position it "sells" personal data under state privacy laws. 


2. The laws do not apply narrowly to companies that sell personal data.   

Companies can also be subject to the laws if they license personal data, and in Texas, if they transfer or process it.   

Contract terms with vendors and partners are critical to assess whether there is a sale, license, or other in-scope disclosure of personal data.  Organizations that disclose personal data to vendors or partners should validate that contract review protocols catch if these disclosures involve a sale, licensing, or other sharing that makes the organizations subject to data broker laws. 

  

3. State portals for deletion requests may become more common.   

California was the first state to require data brokers to access a state data deletion portal where consumers can request that all data brokers delete their data.  California’s portal, the Delete Request and Opt-out Platform (DROP), needs to be accessed by data brokers starting next month.  Connecticut followed with a state deletion mechanism that companies will need to access and honor starting in October 2028.  Vermont's amendments require study of the feasibility of creating a state deletion platform.   

If in scope for these requirements, make sure your organization is able to access DROP next month, and tracks development of the Connecticut mechanism. 


4. New requirements take effect soon.   

Data brokers need to access and honor deletion requests at the California DROP database in a few weeks, starting August 1, 2026.  New Jersey's law passed last week and is in effect now (other than registration requirements that take effect March 27, 2027).  Connecticut's new law takes effect soon on October 1, 2026, and Vermont's amendments take effect January 1, 2027.  This does not leave much time for organizations that are newly in scope for these laws to develop compliant processes.  

There are now seven states that have enacted data broker laws.  This chart has a high-level summary of some of these new and changed requirements. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on AI, privacy, and data security. Hintze attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy, and data security.