The Short Answer

Yes, data brokering is mostly legal in the United States. There is no comprehensive federal law that prohibits the collection, aggregation, or sale of personal information. Companies like Spokeo, Whitepages, and Radaris operate lawfully by compiling data from public records, social media, commercial transactions, and other sources, then selling access to that compiled information.

The legal foundation is straightforward: if information is already publicly available -- through court records, property filings, voter registrations, or your own social media posts -- aggregating it into a searchable profile is generally protected activity. Courts have consistently held that there is no privacy interest in information you have already made public, even when that information is combined in ways you never anticipated.

But "mostly legal" is doing a lot of work in that sentence. The exceptions matter, the gray areas are expanding, and the regulatory landscape is shifting faster than at any point in the industry's history.

Why Data Brokering Is Legal

The data broker industry exists in a regulatory vacuum that is partly historical accident and partly constitutional design.

The public records doctrine. American law has long held that government records are public by default. Court filings, property deeds, marriage licenses, voter registrations, business incorporations -- these are all public records that anyone can access. Data brokers began by digitizing and indexing these records, making searchable what was already technically available to anyone willing to visit a county clerk's office. The argument that this should be illegal runs headfirst into a long tradition of open government.

First Amendment protection. Data brokers frame their work as speech. They collect facts about individuals and publish those facts. The Supreme Court has repeatedly held that truthful information, lawfully obtained, receives First Amendment protection. In Sorrell v. IMS Health (2011), the Court struck down a Vermont law restricting the sale of prescriber data, reinforcing that the sale of information is a form of protected expression. Data brokers cite this case frequently -- and not without justification.

No comprehensive federal privacy law. The European Union has the GDPR. Canada has PIPEDA. Brazil has the LGPD. The United States has nothing comparable. Instead, American privacy law is a patchwork of sector-specific statutes, each covering a narrow category of data. If your information does not fall into one of those protected categories, there is no federal law preventing its sale.

The core legal argument data brokers make is simple: they are not creating new information. They are organizing information that is already available to the public. Whether that argument holds up against the reality of what modern data aggregation enables is one of the defining legal questions of our time.

The Legal Carve-Outs

While no federal law covers data brokering generally, several laws restrict the collection and sale of specific types of personal data. These carve-outs are narrow but carry real consequences when violated.

These laws protect important categories of information. But they leave the vast majority of personal data -- your name, address, phone number, age, relatives, employment history, property records -- entirely unregulated at the federal level.

The Gray Areas

The most consequential legal battles in data brokering are not about clearly illegal conduct. They are about activity that falls into gray areas where the law has not yet caught up.

Non-FCRA data used for FCRA purposes. A data broker can legally sell a background report that includes someone's name, address, and criminal history -- as long as the buyer does not use it to make a credit, employment, or housing decision. In practice, this distinction is almost impossible to enforce. Landlords, small employers, and individuals routinely purchase "people search" reports and use them for exactly these purposes. The broker disclaims FCRA applicability in their terms of service. The buyer ignores the disclaimer. The person whose data was misused has no practical way to prove what happened.

Selling data to known bad actors. Data brokers are not legally required to vet their customers in most cases. But when a broker has reason to know that a buyer intends to use data for stalking, harassment, or fraud, continuing to sell that data creates potential liability under state tort law and, in some cases, federal anti-stalking statutes. The FTC has argued in multiple enforcement actions that brokers who fail to screen out obviously harmful use cases are engaging in unfair business practices.

Data that enables discrimination. Selling profiles that include race, ethnicity, religion, or national origin -- often inferred from names, addresses, or purchasing behavior -- creates the infrastructure for discriminatory targeting. While the data sale itself may be legal, using that data to discriminate in housing, employment, or credit is not. The question of whether a broker bears responsibility for foreseeable misuse of the data it sells remains unsettled.

State registration requirements are another emerging gray area. At least 15 states now require data brokers to register with a state authority and disclose their practices. California, Vermont, Texas, and Oregon have the most established registries. Brokers who fail to register can face fines of $100 to $10,000 per day. Many smaller brokers either do not know about these requirements or choose to ignore them.

Wondering how exposed you are? Delist.ai scans 1,000+ data broker sites and shows exactly where your personal information appears.

Check your exposure free →

Active Litigation and Enforcement

The enforcement landscape has shifted dramatically since 2023. Regulators who spent years studying the data broker industry are now bringing cases.

FTC enforcement. The Federal Trade Commission has brought actions against several data brokers under its authority to regulate unfair and deceptive practices. In 2024, the FTC took action against X-Mode Social (now Outlogic) for selling precise location data that could be used to track people's visits to sensitive locations including medical facilities and places of worship. The agency has also targeted people-search sites that marketed their services as FCRA-compliant without meeting the statute's requirements for accuracy and dispute resolution.

State attorney general actions. Texas filed a landmark suit against Allstate's data subsidiary Arity in 2024, alleging the company collected driving data from 45 million Americans through mobile apps without adequate consent. California's AG has pursued enforcement under the California Consumer Privacy Act (CCPA), which gives residents the right to opt out of the sale of their personal information. Oregon, Connecticut, and New Jersey have all initiated investigations or enforcement actions against brokers operating without required state registrations.

Class action lawsuits. Private litigation against data brokers has grown substantially, though outcomes remain mixed. Cases typically allege violations of FCRA (for brokers that function as de facto consumer reporting agencies), state consumer protection statutes, or -- increasingly -- state biometric privacy laws. Illinois's Biometric Information Privacy Act (BIPA) has produced the largest settlements, though most data brokers do not collect biometric data directly.

The pattern in most enforcement actions is the same: regulators or plaintiffs argue that a broker's actual business practices are more harmful than its legal disclaimers suggest. Brokers that claim they are not consumer reporting agencies, that their data is "for informational purposes only," or that buyers are responsible for compliance -- these disclaimers are increasingly being tested against what actually happens when the data is sold.

The Constitutional Tension

At the heart of the data brokering debate is a tension that American law has not resolved: your privacy interest versus the First Amendment's protection of information.

Individual public records are largely harmless in isolation. Your property deed is filed at the county office. Your voter registration is public. Your court filing is accessible to anyone. Each of these facts, standing alone, presents minimal privacy risk. The aggregation problem arises when a single company combines hundreds of these data points into a comprehensive profile that reveals your daily patterns, financial situation, family relationships, and physical location.

This is sometimes called the "mosaic theory" of privacy -- the idea that individually innocuous data points become surveillance-grade information when combined. The Supreme Court recognized a version of this concept in Carpenter v. United States (2018), where it held that long-term cell phone location tracking constitutes a search under the Fourth Amendment, even though individual location data points are not constitutionally protected. But Carpenter applied to government surveillance, not commercial data collection.

Courts have not yet extended this reasoning to data brokers. The question remains: does the First Amendment protect the right to compile and sell a dossier on any American citizen, assembled from hundreds of public and commercial sources, accessible to anyone for a few dollars? The constitutional answer is genuinely uncertain. Lower courts have reached different conclusions, and the Supreme Court has not directly addressed the question.

The aggregation problem in practice: your home address in a county filing is public. Your phone number in a business directory is public. Your employer on LinkedIn is public. But a single page that shows all three, alongside your relatives' names and your estimated income, creates something qualitatively different from any of its inputs. The law has not yet decided what to do about that difference.

Where the Law Is Heading

The regulatory trajectory is clear, even if the timeline is not. Data brokering is becoming more regulated at every level of government.

State momentum. The most significant regulatory action is happening at the state level. California's CCPA and its successor, the CPRA, give residents the right to know what data is collected, to delete it, and to opt out of its sale. As of early 2026, at least 19 states have enacted comprehensive privacy laws, with most including data broker registration requirements and consumer opt-out rights. Vermont pioneered broker registration in 2019; California, Texas, and Oregon now have the most expansive requirements.

Federal proposals. Multiple federal privacy bills have been introduced in Congress, including the American Data Privacy and Protection Act (ADPPA), which would establish national data minimization standards and create a private right of action. None have passed as of early 2026. The political challenge is real: industry lobbying is intense, and disagreements about federal preemption of state laws have stalled negotiations repeatedly. But the direction of travel is toward some form of federal baseline -- the question is when, not whether.

The EU comparison. The contrast with European regulation is instructive. Under the GDPR, data brokers must have a lawful basis for processing personal data -- typically either consent or a legitimate interest that does not override the individual's rights. In practice, this means that most people-search business models as they exist in the US would be illegal in Europe. European regulators have fined data-processing companies hundreds of millions of euros for violations. The American model of "collect everything, let consumers opt out" is the inverse of the European model of "collect nothing unless justified." The gap between these approaches is narrowing, but slowly.

For individuals living in the United States today, the practical reality is this: data brokering is legal, your information is being sold, and your primary recourse is to opt out from each broker individually. The law may eventually catch up. In the meantime, the burden of protecting your privacy falls on you.