Data Brokers Under Siege: Vermont's Delete Act, New York's Budget Play, and the Tightening Regulatory Noose

The data broker industry is facing a regulatory pincer movement. On one front, state legislatures are advancing increasingly aggressive registration, transparency, and deletion requirements. On the other, enforcement agencies like the California Privacy Protection Agency (CPPA) are bringing fines and investigations that are making non-compliance expensive.

This week, two significant developments pushed the crackdown further: Vermont advanced a bill that would bring California Delete Act-style requirements to the Northeast, while New York legislators embedded data broker provisions into two budget bills — a procedural move that dramatically increases the likelihood of passage.

For data brokers and the organizations that purchase their data, the message is clear: the business model that has sustained the industry for two decades is being systematically dismantled, one state at a time.

Vermont: The Delete Act Goes Northeast

Vermont Representative Monique Priestley’s data broker bill (H.208) passed out of a House committee this week, advancing toward a full House vote. The bill would significantly strengthen Vermont’s existing data broker registration law — which, when originally passed in 2018, was the first of its kind in the nation.

What Vermont’s Bill Does

The bill amends Vermont’s existing data broker registration requirements to add provisions modeled on California’s Delete Act (SB 362):

Universal deletion mechanism. Like California’s Delete Act, Vermont’s bill would create a centralized system through which consumers can request deletion of their data from all registered data brokers with a single request — rather than submitting individual deletion requests to dozens or hundreds of companies.

Enhanced registration requirements. Data brokers would need to provide more detailed information about their data practices, including the categories of data they collect, sources of data acquisition, and categories of third parties they sell data to.

Credentialing procedures. The bill requires data brokers to implement verification procedures to ensure that personal information is sold only for “legitimate and legal purposes.” This is a direct response to investigations revealing that data brokers have sold location data, financial information, and personal details to stalkers, scammers, and foreign intelligence services.

Breach notification requirements. Data brokers would be required to notify consumers when their data is compromised in a security breach — a requirement that doesn’t exist under most current data broker registration laws.

Private right of action. Perhaps the most aggressive provision: consumers would be able to bring lawsuits against data brokers and “large data holders” (companies processing data on more than 100,000 Vermonters). This goes significantly beyond California’s Delete Act, which relies primarily on regulatory enforcement.

Why Vermont Matters

Vermont’s data broker registration law was a trailblazer in 2018, establishing the principle that companies whose primary business is buying and selling personal data should be publicly registered and subject to oversight. But the original law had limited teeth — registration was the primary obligation, with minimal transparency or consumer rights requirements.

The 2026 bill transforms Vermont’s framework from a registration system into a comprehensive regulatory regime. And because Vermont was first, it has institutional knowledge and enforcement infrastructure that newer states lack.

The EPIC (Electronic Privacy Information Center) testimony in support of the bill — while urging some changes — signals that the privacy advocacy community views this as model legislation that other states should follow.

The Private Right of Action Factor

The inclusion of a private right of action is the provision that should most concern the data broker industry. Under current enforcement models, data broker regulation relies on state attorneys general or privacy agencies to bring actions — and those agencies have limited resources.

A private right of action allows individual consumers (and, more importantly, plaintiffs’ attorneys) to bring lawsuits. This creates a multiplicative enforcement effect: instead of one regulator bringing occasional actions, thousands of potential plaintiffs can pursue claims simultaneously.

California’s CCPA includes a limited private right of action for data breaches but not for general privacy violations. Vermont’s bill would go further, allowing lawsuits for a broader range of violations. If passed, it could trigger a wave of data broker litigation — and, potentially, inspire other states to include similar provisions.

New York: The Budget Bill Backdoor

In a move that privacy advocates are calling strategically brilliant and industry groups are calling procedurally unfair, New York legislators have embedded data broker provisions into two budget bills.

Why Budget Bills Matter

In New York (and many other states), budget bills carry special procedural advantages:

They must be voted on. Unlike standalone bills that can languish in committee indefinitely, budget bills have hard deadlines and floor votes.
They’re harder to isolate. Voting against a provision in a budget bill means voting against the entire budget — a politically costly move.
They move faster. Budget bills bypass much of the committee process that standalone bills navigate.

By embedding data broker provisions in budget legislation, New York lawmakers have dramatically increased the probability that these provisions become law — potentially before the data broker industry can mount its usual lobbying campaign.

What’s in the New York Provisions

While the full text of the budget provisions is still being finalized, reporting indicates they include:

Data broker registration requirements for companies operating in New York
Transparency obligations regarding data collection and sale practices
Consumer access and deletion rights specific to data broker-held information
Enforcement mechanisms through the state attorney general’s office

Given New York’s population (approximately 19.5 million) and its role as the headquarters of the financial and advertising industries, a New York data broker law would have outsized impact. Many of the largest data brokers are incorporated or have primary operations in New York.

The Broader Data Broker Crackdown

Vermont and New York aren’t operating in isolation. They’re part of an accelerating nationwide crackdown on data brokers that’s unfolding across multiple vectors simultaneously.

Legislative Momentum

As of mid-March 2026, data broker-specific legislation is active in at least nine states. The Troutman Pepper privacy tracking team reports bills in various stages across the country, with the common thread being increasingly aggressive requirements beyond simple registration.

The progression is clear:

2018-2020: Vermont and California establish data broker registration requirements
2021-2023: California passes the Delete Act, creating universal deletion rights
2024-2025: CalPrivacy begins enforcement, issuing fines and launching the Data Broker Enforcement Strike Force
2026: Multiple states advance Delete Act-style requirements, adding private rights of action and enhanced transparency

Each generation of legislation builds on lessons from previous states. Vermont’s bill incorporates elements of California’s Delete Act. Future bills in other states will incorporate elements of Vermont’s private right of action. The ratchet only turns in one direction.

Enforcement Escalation

Legislative activity is being matched by enforcement action. California’s CPPA has been particularly aggressive:

Eight fines and counting against data brokers for registration violations
A dedicated Data Broker Enforcement Strike Force targeting both Delete Act compliance and CCPA violations
150 weekly complaints being processed, with explicit warnings about scrutinizing “any business that walks and talks like a data broker”

The FTC has also increased its focus on data brokers, particularly those selling sensitive categories of data like geolocation, health information, and financial data. Multiple enforcement actions in 2025 targeted brokers selling location data that could identify visits to abortion clinics, substance abuse treatment facilities, and houses of worship.

The California Delete Act Timeline

California’s Delete Act is approaching a critical implementation milestone. By August 2026, the CPPA must establish the centralized deletion mechanism that allows consumers to submit a single request to delete their data from all registered brokers.

Once this mechanism is operational, it will serve as proof of concept for other states considering similar systems. If Vermont’s bill passes, the state would likely model its deletion mechanism on California’s — reducing implementation costs and accelerating deployment.

What This Means for Organizations

The data broker crackdown has implications far beyond companies that self-identify as data brokers.

Are You a Data Broker?

The definition of “data broker” varies by state, but generally includes any entity that collects and sells consumer personal data without a direct relationship with the consumer. This can include:

Ad tech companies that aggregate and sell audience data
Marketing data providers that sell consumer profiles
People search sites that compile and sell personal information
Background check companies (with exceptions in some states)
Analytics firms that sell derived insights based on personal data

If your organization buys or sells consumer data and you don’t have a direct relationship with the consumers whose data you’re processing, you may be subject to data broker registration and compliance requirements in multiple states.

Compliance Priorities

1. Registration audit. Determine whether you meet the definition of a data broker in California, Vermont, and any other states where registration laws exist. Non-registration is the most common violation being enforced — and it’s the easiest to avoid.

2. Deletion infrastructure. If you’re subject to the California Delete Act, ensure your systems can process deletion requests received through the CPPA’s centralized mechanism when it launches. If Vermont passes its bill, begin planning for a similar system there.

3. Data supply chain review. If you purchase data from brokers, verify that your suppliers are registered where required. CalPrivacy’s enforcement approach includes investigating downstream purchasers, not just brokers themselves.

4. Transparency documentation. Multiple bills now require brokers to disclose categories of data collected, data sources, and categories of purchasers. Begin documenting these data flows if you haven’t already — it’s easier to prepare disclosure documents proactively than under regulatory deadline.

5. Litigation readiness. If Vermont’s private right of action provision passes, data brokers and large data holders should expect plaintiff litigation. Review your insurance coverage, retention policies, and data practices for exposure.

The Strategic Question

For organizations that rely on purchased data — for marketing, lead generation, risk assessment, or audience targeting — the strategic question is no longer whether the data broker ecosystem will be regulated, but how quickly and how aggressively.

The trajectory is unmistakable: every year brings more states, more requirements, and more enforcement. Organizations that build their data strategies around purchased broker data are building on an increasingly unstable foundation.

The alternatives — first-party data strategies, privacy-preserving technologies, contextual targeting, and consent-based data collection — require investment now but will be more durable in the long term. The data broker crackdown isn’t a wave that will recede. It’s a tide that’s still coming in.