New information released by the state of California reveals that a significant portion of data brokers collect and sell sensitive information on topics such as reproductive health and data belonging to children.
Of the 480 data brokers registered with the California Privacy Protection Agency (CPPA), 24 have disclosed that they sell the data of minors. According to the registry, 79 brokers sell precise location information and 25 brokers sell reproductive health information. Of that number, some, but not all, sell data in all three categories. It is not clear what kind of data belonging to minors the brokers sell.
The new disclosures are required under California’s expungement law, passed in September, which also requires data brokers to delete information about consumers who request erasure of their personal data. Consumers will be able to do so at the push of a button starting in 2026.
Data broker expert Justin Sherman recently released research showing that data brokers are selling sensitive information on military personnel without asking questions, and in particular selling the data of minors. A number of companies expressed shock.
“The fact that 24 of the registered data brokers are selling the data of minors is particularly worrying and highlights how the current system fails to protect children’s privacy. ” Sherman said in a text message. “If that’s not a problem, I don’t know what is.”
Sherman pointed out that the federal law known as COPPA, which regulates children’s privacy, currently does not prevent companies from selling data about children.
A bill to update COPPA, currently pending in Congress, would change current law that prohibits online services from collecting data from children under 17.
“Since Congress is not doing its part in this area, states should pursue strong data broker regulation,” Sherman said.
Some of the nation’s largest data brokers, including Axciom, Experian, Comscore, and LexisNexis Risk Solutions, are registered to sell information in at least some of the three sensitive data categories.
The number of registered data brokers is also decreasing, with 70 fewer companies this year compared to last year, according to testimony from CPPA attorney Liz Allen at Friday’s commission board meeting.
Experts say it is difficult to know how many data brokers operate without registration, especially because there are many small and medium-sized companies that buy and sell consumers’ personal data behind the scenes.
“The world of unregistered brokers is unknown and almost certainly much larger,” Emory Roane, policy advisor at the Privacy Rights Clearinghouse, said in an email.
Prior to the DELETE law, in California, one of only two states with active registries, data brokers were unable to collect data belonging to minors, related to reproductive health care, or They were not required to disclose whether they sold location data.
“One of the goals of the Erasure Act is to increase transparency, and just months after Governor Newsom signed the Erasure Act, the first-ever list of people selling the personal data of minors was confirmed. We are happy to see that we now have access to our precise geolocation and reproductive health data,” Tom Kemp, a privacy advocate who helped write the expungement law, said in a text.
“For consumers, being able to know who has their data and what kind of sensitive data they are collecting and selling about each of us and our children is huge. That’s an advantage,” Kemp added.
Mr. Allen testified that data brokers who fail to register are subject to fines of $200 per day, and indicated that data brokers intend to pursue defamation charges. Recorded Future News reported that until recently, California’s attorney general controlled the registry, but failed to actively enforce non-registrations.
Asked about the issue of non-registration, Mr Allen said: “It would allow us to understand, for example, who is not registered, who should be registered and try to get them registered on the register.”
Under new CPPA rules that take effect in July, data brokers will have to provide more information on their websites. The information required to be disclosed includes the number of requests to delete personal information received by consumers and the median and average number of days it takes consumers to comply with such requests.
From 2028, data brokers will also be audited every three years to ensure they comply with the law’s requirements.
