Dozens of data brokers disclose selling reproductive healthcare info, precise geolocation and data belonging to minors
New information made public by the state of California shows that a significant portion of data brokers collect and sell sensitive information on topics like reproductive health, as well as data belonging to children.
Out of 480 data brokers registered with the California Privacy Protection Agency (CPPA), 24 indicated they sell data belonging to minors. Seventy-nine brokers sell precise geolocation and 25 sell reproductive health information, the registry shows. Of that number some but not all sell data in all three categories. It is not clear what type of data belonging to minors the brokers sell.
The new disclosures are required under California’s DELETE Act, legislation passed in September which will also require data brokers to delete the information of consumers who request their personal data be erased. Consumers will be able to do so with the push of a button beginning in 2026.
Justin Sherman, an expert on data brokers who recently published research showing data brokers sold sensitive information belonging to the members of the military without asking questions, expressed shock at the number of companies selling data on minors in particular.
“It’s especially disturbing that 24 of the registered data brokers sell data on minors and underscores how our current system has failed to safeguard kids’ privacy,” Sherman said via text. “If that’s not a problem, I don’t know what is.”
Sherman pointed out that the federal law known as COPPA, which regulates children’s privacy, does not currently prevent companies from selling data about children.
A bill updating COPPA which is currently languishing in Congress, would change the existing law to bar online services from collecting data from kids under age 17.
“As Congress fails to do its job in this area, states should pursue strong data broker regulation,” Sherman said.
Some of the country's largest data brokers are registered as selling information in at least some of the three sensitive data categories, including Axciom, Experian, Comscore and LexisNexis Risk Solutions.
There also has been a drop off in the number of data brokers registered, with 70 fewer listed this year versus last, according to testimony from Liz Allen, a CPPA lawyer, at an agency board meeting Friday.
It is difficult to know how many data brokers are operating without being registered, especially since there are many smaller companies trafficking in consumers’ private data in the shadows, experts say.
“The universe of unregistered brokers is unknown, and almost certainly much larger,” Emory Roane, policy counsel at Privacy Rights Clearinghouse, said via email.
Before the DELETE Act, data brokers did not have to disclose whether they sold data belonging to minors, data relating to reproductive healthcare or precise geolocation data in California, one of only two states with an active registry.
"One of the goals of the DELETE Act was to increase transparency, and it is gratifying that just a few months after Governor Newsom signed the Delete Act into law, we can now see the first ever list of who is selling personal data on minors, our precise geolocation, and our reproductive healthcare data," Tom Kemp, a privacy advocate who helped shape the DELETE Act, said via text.
"This is a big win for consumers to know who has their data and what type of sensitive data they are collecting and selling on each and every one of us and our kids,” Kemp added.
Data brokers who fail to register will be fined $200 a day, Allen testified, indicating that the agency intends to pursue scofflaws. The California Attorney General managed the registry until recently and failed to actively enforce non-registration, reporting from Recorded Future News has shown.
Asked about the non-registration problem, Allen said “that would be something that we can enforce on for example, to try to figure out who isn't registering, who should be and then try to bring” them into the registry.
Under new CPPA rules taking effect in July, data brokers will have to provide an expanding list of information on their websites. The information they will be forced to disclose includes the number of consumer requests to delete personal information they have received and the median and mean number of days within which they answered such requests.
Beginning in 2028, data brokers also will be subjected to an audit every three years to ensure they are complying with the law’s requirements.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.