Are You a “Data Broker” Under California Law? The Direct-Relationship Test
Plenty of lead-gen operators read "data broker" and assume it means someone else. California's definition is broader than the label suggests, and the test is simpler than you'd expect. It comes down to one relationship.
This is an operator's read, not legal advice.
The direct-relationship test
Under California's Delete Act, a data broker is "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." That last clause is the whole test.
- Did the consumer come to you — your site, your form, your brand — and hand over their information? That's a direct relationship, generally outside the definition.
- Are you buying consumer data from a third party and reselling it to other third parties, with no direct relationship to the consumer? That's the broker pattern the law targets.
California's registry isn't a niche club — it listed roughly 545 registered data brokers as of January 2026, and there's no revenue or volume threshold. One brokered data flow can put you in scope.
Where the carve-outs help — and where they stop
The exemptions most relevant to lead-gen are for GLBA-covered and FCRA-covered information and activity, plus information collected directly from the consumer and publicly available data.
The carve-out is activity-specific
GLBA and FCRA exemptions attach to *covered information and activity*, not to a company as a whole. A mortgage lead company can run GLBA-covered activity in one part of the business and non-covered data resale in another. The second can still trigger registration. The exemption is a scalpel, not a shield.
Other states are doing the same thing
California isn't alone. Vermont (the 2018 first mover), Texas, and Oregon all maintain data-broker registries, each with its own definition, thresholds, and per-day penalties. Texas, for instance, turns on a 50%-of-revenue-from-data test or data on 50,000+ individuals. If you operate nationally, "am I a data broker?" is a question you may have to answer in more than one state.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.
The honest bottom line
If any part of your business knowingly sells consumer data about people you have no direct relationship with, assume you may be in scope and get a real answer — because the registration deadline (January 31) and the DROP deletion duties (starting August 1, 2026) both carry $200-per-day penalties.
Not Legal Advice
General information, not legal advice. Whether a specific lead-gen model is a "data broker," and how the GLBA/FCRA exemptions apply to it, is fact-specific and unsettled at the margins. Confirm with qualified counsel before relying on any conclusion here.
Sources
- Data Broker Regulation Framework — CA, TX, VT, OR — California Lawyers Association (accessed 2026-06-29)
- About DROP and the Delete Act — California Privacy Protection Agency (accessed 2026-06-29)
30+ years in lead gen · BRSG Founder
Bill Rice has spent 30+ years in mortgage, lending, and performance marketing — generating leads, buying them, and building the systems that route and work them. He founded a performance-marketing agency, owned a direct-to-consumer lender, and wrote The Lead Buyer's Playbook. He built Lead Compliance Hub to help operators navigate the legal landmines of online lead generation from an operator's seat, not a law firm's. Nothing he writes here is legal advice.
Key Terms to Know
California Delete Act
SB 362 (2023), which amended California’s data-broker law, moved registration to the California Privacy Protection Agency, and created DROP — a single platform for consumers to request deletion across all registered brokers.
DROP
California’s Delete Request and Opt-out Platform. It launched January 1, 2026 (consumers can submit requests); registered data brokers must begin processing deletion requests by August 1, 2026 and check the platform at least every 45 days.
Data Broker
Under California’s Delete Act (Civ. Code § 1798.99.80(c)), “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Many lead aggregators fall squarely within it.
GLBA
The Gramm-Leach-Bliley Act. To the extent information or activity is covered by GLBA (or FCRA), it is exempt from California’s data-broker definition — but the exemption attaches to the covered activity, not to the company as a whole.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.