If you're running a data vendor operation and weighing a shift toward brokerage, or evaluating whether to work with a broker, the compliance picture deserves more attention than most overviews give it. Operating as a full data broker is not a matter of scale; it puts you under a different regulatory posture entirely.
When "data vendor" becomes "data broker"
The legal definitions matter here, and they're narrower than you might expect. In California, a "data broker" is specifically a business that knowingly collects and sells to third parties the personal information of consumers with whom it has no direct relationship.
That last clause is key: if you're enriching data for companies that already have a relationship with the people in their CRM, you may not trigger broker status. If you're licensing datasets about individuals who've never heard of you, you probably do. Broker status also turns on whether you sell that personal information to third parties, and on statutory carve-outs such as data already covered by the FCRA, GLBA, or HIPAA.
California's data broker registration law requires annual registration with the California Privacy Protection Agency, which maintains a public registry of data brokers, plus registration disclosures and a fee. The state's Delete Act requires registered brokers to participate in DROP, the state's centralized deletion mechanism, with brokers beginning to process consumer deletion lists on August 1, 2026, on an at-least-every-45-days cadence. Other states are following with their own frameworks, and the definitions aren't uniform; what qualifies as "selling" data, what counts as "personal information," and what exemptions apply all vary by jurisdiction.
Before you assume you're exempt, map your actual data flows. Where does the information originate? Who are you licensing it to? What are they doing with it? The answers determine which rules apply.
The privacy framework patchwork
Operating across jurisdictions means operating under multiple overlapping regimes. The two you'll encounter most often are GDPR in Europe and CCPA/CPRA in California, but they work differently.