What Is a Data Broker and Why Does It Matter?

The CCPA itself does not mention data brokers, but current regulations identify them as a type of third party to whom a business might be disclosing consumers’ personal information. In doing so, it points to California’s data broker law, Civil Code section 1798.99.80, which defines a data broker as:

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.

A “direct relationship” is established when the consumer knows who they are dealing with and transmits their information directly to that party. For example, a business has a direct relation with its customers, and a website has a direct relationship with its visitors. 

Often, data brokers are sources of personal information, such as when a business purchases an email list or other sales leads. What tends to cause more complications for compliance (more on this below) is when businesses disclose information to a data broker. This may mean simply trading personal information for cash, but far more commonly it involves swapping personal information in exchange for access to software or a much larger database of personal information from other sources (sometimes called “data cooperatives”).

The term is often misunderstood to apply to any big tech company that deals in personal data. For example, Google collects personal information from billions of people, often without having a direct relationship with them (as when a Google Ads tracker is used to deliver targeted advertising). However, Google does not sell that data to anyone else, so it is not a data broker.

If you’re not sure whether you’re dealing with a data broker, one easy way to check is to search the California Data Broker Registry. Data brokers that trade California consumers’ data are required to register with the state, so theoretically the company in question should be listed if it is a data broker. Of course, if a company is not listed in the registry, it may be that it simply failed to register as required.

What Does This Mean for Compliance?

There’s nothing inherently wrong with dealing with data brokers, and no data privacy law prohibits businesses from disclosing or receiving personal data from a data broker. 

The primary effect on compliance stems from whether disclosing personal data to a third party amounts to a sale. If it  is a sale of personal information, businesses typically must disclose this fact and offer consumers a method for opting out.

If you’re thinking, “I know my business doesn’t sell personal information because we don’t receive any money,” it’s actually more complicated than that. Several laws, including the CCPA, define a sale as exchanging personal data for “monetary  or other valuable consideration.” This means that receiving some other tangible benefit besides money—such as a discount on software or access to a database—is enough to convert the exchange into a sale.

Here’s a breakdown by jurisdiction.

California, Connecticut, and Colorado

Privacy laws in these states use the broader definition of sale—i.e., the exchange of personal data for monetary or other valuable consideration. Disclosing personal information to a data broker for some kind of benefit like a discount or access to personal information from other businesses will be considered a sale, even if your business does not receive money from the deal.

Due to the nature of what a data broker does, authorities in these jurisdictions will probably presume that any disclosure to a data broker amounts to a sale. That is, if a business was not receiving any benefit from the exchange, it probably wouldn’t be sending the data in the first place.

Utah and Virginia

In these states, a disclosure of consumers’ personal data is only considered a sale if the business receives monetary consideration in return. It is far less common for businesses to receive cash in exchange for personal data, so most of the time deals with data brokers in these jurisdictions will not be considered selling.

European Economic Area and the UK

Europe’s General Data Protection Regulation (GDPR) does not specifically address the sale of personal data, but it does still grant data subjects some opt-out rights. A person in any of these countries can object to the processing of their data, and the business may only continue the processing if it has compelling grounds to do so that outweighs the person’s privacy interests. In the case of disclosing data to a data broker, the privacy interests would strongly outweigh the business’s interests.

Additionally, European data laws prohibit businesses from sending promotional communications to data subjects without their consent in most situations. This means that if a business purchases an email list or other type of contact information, it cannot send any communications to anyone on the list located in Europe.