Capstone believes data brokers collecting and selling personal data face costly operational burdens and increased risk due to California’s opt-out program, with enforcement starting August 1st. Similar proposals in other states, as well as at the federal level, indicate a tighter regulatory environment through 2027. National security and privacy concerns raise the risk for companies operating overseas or with particular categories of sensitive data.
- As mandated by the Delete Act, the California Privacy Protection Agency launched its Delete Request and Opt-out Platform (DROP) on January 1st, allowing consumers to request data deletion across registered data brokers. These firms must establish ongoing deletion mechanisms by August 1st, when DROP enforcement begins with fines of $200 per violation per day.
- The regulatory environment will continue to tighten through 2027, driven by DROP enforcement, as well as expanding registration requirements in other states and growing momentum for comprehensive federal privacy legislation. Although consumer adoption levels of DROP are not yet clear, widespread use could motivate other states to implement similar measures.
- Data brokers face growing regulatory risk from national security restrictions on sensitive data categories. The Department of Justice’s January 2025 bulk data rule, coupled with children’s privacy initiatives, raises the risk for brokers handling sensitive personal data, particularly those with customer bases abroad.
Capstone has observed increased private equity interest in data collection companies, including brokerages, due to growing demand for artificial intelligence (AI) model training data. Although the regulatory environment for data scrapers is positive in the wake of AI proliferation (see Third-Party Web Scrapers Poised to Benefit from Growing AI Training Data Demand), data brokers and market intelligence companies that distribute data to third parties face mounting operational burdens and enforcement risks. We are monitoring several developments in the data privacy and security space for private equity investors interested in data brokers:
- California’s DROP: California’s newly established DROP, under the Delete Act of 2023, is a “one-stop shop” for consumers to delete their data across all registered data brokers, instead of having to opt out through each broker individually, which was the earlier practice. DROP requires businesses to establish ongoing monitoring systems and robust data deletion plans, exposing them to high CPPA enforcement risk. Other states may also follow suit.
- Federal Legislation: Federal privacy legislation is back in the spotlight as lawmakers consider it a precondition to enacting AI legislation, increasing compliance pressure on data brokers providing market intelligence in the US.
- Data Security Concerns: Data brokers have faced increased scrutiny in recent years due to national security and privacy risks, particularly regarding the sale of specific categories of “sensitive” personal data, and, separately, sales to international buyers.
Privacy Legislation Outlook
California’s Delete Act
Although more than 20 states have enacted privacy laws, California’s statutes and corresponding regulations are considered the strictest and most comprehensive in the US. The California Consumer Privacy Act (CCPA) of 2018 was later strengthened by the California Privacy Rights Act (CPRA) of 2020. The CPRA created the California Privacy Protection Agency (CPPA), which was tasked with enforcing the state’s privacy framework, including oversight of data brokers. CPRA required registered data brokers to provide an opt-out link on their websites and honor opt-out signals and data deletion requests from consumers.
In response to the frustration among California consumers over navigating more than 500 opt-out systems across data brokers, the Delete Act of 2023 tasked CPPA with establishing and operating DROP, a one-stop mechanism for consumers to request data deletion. The platform, which launched on January 1st, 2026, allows consumers to request deletion of their data across all registered brokers via a CPPA-managed website, requiring companies to establish ongoing monitoring systems and data deletion plans by August 1st. Before the Delete Act took effect, consumers had to request each data broker individually to delete their data. With DROP, all registered brokers are implicated with a single request.
The Delete Act also expands the definition of “data broker” in California to a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This definition is interpreted as applying to any business that sells consumer data without having a consumer-facing relationship. This could require a variety of businesses to register as data brokers if they collect data from other sources and sell to third parties, including in an adtech context.
Although it remains unclear how widely consumers will opt out via DROP, the success of the National Do Not Call Registry, which saw 50 million registrations within its first few months and now includes over 258 million phone numbers, suggests strong consumer appetite for centralized opt-out mechanisms. If DROP records similar adoption rates, enforcement by CPPA could prove expensive for data brokers under the Delete Act. Failure to comply with deletion requests will attract fines of $200 per violation request for each day of violation, besides expenses incurred by CPPA during the investigation. Brokers separately face $200 fines for each day they fail to register in California.
California’s privacy framework is similar to Europe’s General Data Protection Regulation (GDPR), which requires affirmative consent before collecting data. According to a SAS Institute study, 56% of European consumers exercised their GDPR rights, including data deletion requests, within the first year it was effective. Although this figure is likely inflated as it reflects a broader range of privacy actions and GDPR operates on an opt-in model, DROP adoption rates could reach a similar level. DROP requires consumers to seek out the CPPA website, create a profile, and submit a request —more steps than it would take to opt out in the EU.
The CPPA has yet to issue fines for DROP violations, although it has taken an aggressive enforcement posture on violations of other statutes it oversees. In September 2025, for example, CPPA announced a $1.35 million settlement — the highest so far — with Tractor Supply Co. (TSCO) for failing to honor customers’ opt-out requests and for ineffective data deletion mechanisms. Although the enforcement action was brought under the broader CCPA and targeted a retailer rather than a data broker, it signals the agency’s intent to pursue violations by companies having insufficient deletion mechanisms.
In October 2024, CPPA launched an investigative sweep of dozens of data brokers that failed to register under the Delete Act, leading to numerous settlements and fines ranging from ~$45,000-$63,000. The sweep is ongoing. The CPPA later announced the creation of a Data Broker Enforcement Strike Force within its Enforcement Division to investigate privacy violations by the data broker industry.
Data Privacy Legislation in Other States
The lack of comprehensive federal action in the privacy space has driven several other states to implement their own efforts to regulate data brokers. The efforts include enacting laws that require data brokers to register with the state, increase transparency, and enable consumer opt-outs. Vermont passed the country’s first data broker legislation in 2018, requiring companies to register annually with the state and provide information about collection activities, security breaches, and other information. Texas and Oregon passed data broker registration laws in 2023. New York has proposed SB S9088, which would require data brokers to register with the state and establish a data deletion mechanism for consumers. We expect the regulatory landscape to continue tightening for data brokers at the state level, regardless of federal action.
Federal Data Privacy Legislation
Congress has attempted to pass comprehensive data privacy legislation, with sustained momentum for these proposals increasing compliance pressures on businesses selling or sharing data to third parties. Passage at the federal level is difficult, given Congress’ current low bill passage rate and long-standing lack of consensus on state preemption and private rights of action. However, we expect privacy regulation to remain a priority, especially as lawmakers consider it a precondition to enacting AI regulation. For example, following California’s Delete Act, the federal Data Elimination and Limiting Extensive Tracking and Exchange Act (DELETE Act, HR 2612), was reintroduced in the Senate in April 2025. The bill would task the Federal Trade Commission (FTC) with creating an online dashboard for consumers to submit data deletion requests. Although lawmakers failed to pass this bill twice before, data brokers should consider aligning with California’s Delete Act, as registration requirements, opt-out mechanisms, and transparency mandates could be applied nationwide.
Sensitive Data and Data Security
Data brokers have faced increased scrutiny in recent years regarding national security and the protection of “sensitive” personal data. Congress passed the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) in April 2024, prohibiting data brokers from selling or providing access to “personally identifiable sensitive data of a US individual to any foreign adversary country.” The FTC, on February 9th, sent letters to 13 data brokers warning them of the law’s requirements, and that violations could lead to civil penalties of up to $53,088 per violation (in an extreme scenario).
Additionally, in January 2025, the Department of Justice (DOJ) issued a Final Rule to implement Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data to Countries of Concern or Covered Persons. The measure prohibits brokers from selling sensitive US personal data in bulk to certain “countries of concern,” including China, restricting data brokers from monetizing their collections.
The DOJ’s rule categorizes the types of sensitive data subject to these restrictions, including Americans’ geolocation data, health data, biometric data, and government data. Beyond the DOJ’s rule, however, Capstone believes companies selling data should be wary of handling these data types more broadly and closely monitor compliance risks. Policymakers have also expressed privacy and security concerns about children’s data, threatening data brokers’ access to youth userbases. Capstone expects Congress to advance children’s online safety legislation this session, such as the Kids Online Safety Act and Children and Teens’ Online Privacy Protection Act (COPPA 2.0), which would expand restrictions on the visibility of minors’ user and location data. Although most of these pending bills target social media and online entities rather than data brokers, they would limit partnerships with other platforms and decrease the amount of under-17 user data available for collection.
Additionally, the Don’t Sell Kids Data Act (HR 6292), which would prohibit data brokers from collecting minors’ data and allow parents to request the deletion of existing data, recently advanced from a House subcommittee to the committee on Energy and Commerce. HR 6292 moved as part of an 18-bill package addressing children’s privacy issues with bipartisan support. However, regulators remain more focused on the Big Tech platforms than on the data broker industry, decreasing the bill’s likelihood of passage. Regardless, we believe data brokers reliant on youth data and other categories of sensitive data face increased risk.
What’s Next
California’s CPPA will enforce DROP on August 1st, by which time data brokers should ensure they have developed sufficient data deletion and monitoring mechanisms.
The federal DELETE Act is pending in the House committee, while the Don’t Sell Kids Data Act awaits a full House Energy and Commerce Committee markup.
Read more from Capstone’s TMT Team:
Third-Party Web Scrapers Poised to Benefit from Growing AI Training Data Demand
The Growing Antitrust Risk for Pricing Software Firms
Too Big to Hide: Why Big Tech Platforms Will Face Continued Scrutiny
