Only 4 out of 50 states require data brokers to register and disclose their activities, leaving 92% of America in a regulatory blind spot where surveillance capitalism operates unchecked.
Have data broker registries
Of US lacks transparency
Operating in shadows
With minimal oversight
As of 2025, only California, Vermont, Oregon, and Texas require data brokers to register. Here's why 46 states remain in the dark.
These states have taken the bold step of requiring data broker transparency through mandatory registries.
CCPA/CPRA
First major registry
Act 171
Strictest requirements
SB 619
Consumer focus
HB 4390
Recent addition
The U.S. has no comprehensive federal privacy law like the EU's GDPR, leaving states to create their own regulations.
States are left to regulate on their own, creating a confusing patchwork system with inconsistent protections.
Only a handful of states have gone far enough to explicitly require data broker registration and transparency.
Data brokers can simply move operations to states with weaker laws, making enforcement nearly impossible.
Data brokers, advertisers, and big tech firms lobby aggressively against broad registries and transparency requirements.
"It's burdensome," "hurts innovation," or "small businesses will be penalized" - standard talking points to kill legislation.
Many state privacy bills get watered down, stalled in committee, or killed entirely due to industry pressure.
The data industry spends millions annually on lobbying to prevent transparency laws that would expose their practices.
Privacy isn't always a top legislative priority compared to healthcare, education, or economic issues.
Lawmakers often focus on cybersecurity breaches (reactive) rather than proactive data-market transparency.
States with strong consumer protection traditions (Vermont, California, Oregon) or tech oversight pressures pushed registries through.
Most legislators don't understand the data broker industry well enough to craft effective oversight legislation.
Even the four registries that exist struggle with compliance and enforcement challenges.
Watchdogs report hundreds of companies failing to register, or burying opt-out links with dark patterns.
Many states hesitate to adopt registries because they don't want to fund enforcement mechanisms.
Laws without enforcement are just suggestions - and data brokers know it.
Other states (Colorado, Connecticut, Virginia, Utah) have privacy acts, but rely on opt-out rights instead of registries.
These laws focus on general "data controller" obligations rather than specific broker transparency.
A registry is stricter and more visible than general privacy rights, so fewer states embrace this approach.
Broad privacy laws sound good but often lack the specific transparency that registries provide.
The regulatory failure around data brokers is a perfect example of how surveillance capitalism keeps consumers trapped in a digital prison.
Only 4 states pull back the curtain on data broker activities
46 states leave data brokers operating completely in the shadows
Consumers have no idea who has their data or how it's being used
You can't fight what you can't see. The lack of transparency keeps consumers powerless.
Even where laws exist, compliance is thin and enforcement is weak
Hundreds of companies fail to register or use dark patterns to hide opt-outs
States lack resources and political will to enforce existing laws
Laws without enforcement are just theater. Data brokers know they can operate with impunity.
Instead of one central federal registry, individuals must track four different state systems
Consumers must individually contact thousands of brokers to opt out
The system is designed to exhaust consumers and maintain the status quo
The burden is intentionally placed on consumers, making privacy protection nearly impossible.
This regulatory failure shows how the system keeps consumers trapped in surveillance capitalism. You can't escape what you can't see, can't hold accountable what has no oversight, and can't protect yourself when the burden is designed to be impossible.
The regulatory gaps aren't bugs in the system - they're features designed to maintain the digital prison.
Here's what the current registry landscape looks like and what it means for consumer protection.
Most comprehensive registry with detailed disclosure requirements
Strictest requirements including annual fees and detailed reporting
Consumer-focused with emphasis on opt-out mechanisms
Newest addition with focus on transparency and consumer rights
Data brokers operate without disclosure or registration
Few or no opt-out protections for residents
No mechanism to track or regulate data broker activities
Individuals must find and contact brokers individually
Even in states with registries, enforcement and compliance remain significant challenges.
Despite the regulatory gaps, there are steps you can take to protect your privacy and push for change.
Check California, Vermont, Oregon, and Texas registries
Use privacy services that automate opt-out requests
Use VPNs, ad blockers, and privacy-focused browsers
Contact representatives about privacy laws
Share information about data broker practices
Back privacy advocacy groups and watchdogs
Regulatory oversight of data brokers remains woefully inadequate, but understanding the system is the first step toward changing it.