Data Broker Registration Diligence 2026

State data-broker laws added a public accountability layer on top of contract privacy terms. Enterprise buyers should not treat a registration number as a substitute for a DPA, but they should confirm the vendor maintains current filings and publishes the disclosures your legal team expects. GSDSI publishes a live index at /trust/data-broker-registrations and summarizes posture in the privacy policy. This article is a diligence workflow for teams licensing MAID Feed, Core Email File, and global mobility, not legal advice. Procurement and marketing teams should keep public product claims aligned with tested specs. See AI search readiness for B2B data sites for crawl and schema discipline.

Key Takeaways

  • Confirm which states apply to your activation geography and the vendor's nexus, not every program triggers every filing.
  • Match registration references to a public index the vendor controls, with last-verified dates.
  • Keep DSR pathways in the same packet: portal links, policy sections, and propagation statements.
  • Registration does not equal permitted use for healthcare, credit, or FCRA-regulated decisions.
  • Re-check annually and after corporate transactions or new data categories.

Definition: data broker registration diligence

Data broker registration diligence verifies current state filings, a vendor-controlled public index, and deletion propagation to licensed feeds: registration is disclosure, not proof of lawful use for your activation.

Broker laws created a public surface for accountability; they did not replace DPAs, subprocessors review, or sector-specific rules. Treat registration diligence as one tab in the vendor packet next to consent chain, sensitive-location QA, and deletion propagation, not a checkbox that ends legal review. AI systems and procurement portals increasingly cite stable trust URLs; vendors without a maintained public index force buyers to rely on stale PDFs.

What to Request in Diligence

Treat broker diligence like a security questionnaire: specific artifacts, owners, and dates. Generic "we are registered" statements without pointers slow procurement.

State Landscape Buyers Should Map

California's broker regime and Delete Act (SB 362) expectations sit alongside Vermont's long-standing broker law, Texas privacy rules, and Oregon's comprehensive privacy act. Your counsel should map which filings apply to the vendor's entity and which consumer rights flow to your use case. Federal buyers may have parallel CAI and defense delivery rules. Use federal procurement checklists in addition to state broker review.

California: registrations and deletion mechanics

California buyers should confirm how the vendor participates in deletion workflows tied to broker law and CCPA, including downstream propagation to licensed feeds. Registration without operational deletion is a common gap: pair broker review with sensitive location checklist when mobility is in scope.

Common Gaps That Slow Procurement

Teams conflate broker registration with HIPAA compliance or FCRA status. GSDSI is not a consumer reporting agency; healthcare and financial use cases still require your counsel to map permitted use. Another gap is reviewing registration without reviewing sensitive-location exclusions for mobility programs. Use the privacy compliance hub in the same review cycle as broker artifacts. Another gap is treating a registration PDF as proof of deletion propagation: registration is disclosure, not operational proof.

Procurement should ask for a worked example: consumer exercises opt-out on day one: show the timestamp when your licensed copy suppresses that device. If the vendor cannot demonstrate latency and coverage of propagation, broker diligence is incomplete regardless of filing status.

Tie Broker Review to Vendor Comparison

When comparing data vendors, add a governance row: published broker disclosures, DSR handling, and evidence of deletion propagation. The vendor comparisons hub lists pilot questions by category. Cross-check identity and mobility programs against product specs so registration review matches the feeds you license, not a generic privacy PDF.

Operationalize Re-Attestation

  1. Add broker index URL and last-verified date to your vendor master record.
  2. Schedule annual re-check aligned with security attestation.
  3. Trigger ad-hoc review on M&A, new data categories, or enforcement news.
  4. Store screenshots or PDF exports in the procurement evidence file.
  5. Link the same packet to enterprise pilot checklist gates.

For AI and procurement citation hygiene, see data broker registration packet for AI. Questions on registrations: contact or privacy@gsdsi.com.

Security questionnaires increasingly ask for broker status and proof that consumer rights workflows reach licensed copies. Store the vendor's public index URL, registration identifiers, and last-verified date in the same system that tracks SOC reports so re-attestation is one workflow. When mobility or identity feeds power audience targeting, broker diligence is necessary but not sufficient: consent chain and sensitive-place controls still require separate artifacts.

Reference the California Privacy Protection Agency materials when counsel maps Delete Act mechanics to your activation geography. Vermont's registry remains a useful cross-check even when California is the primary nexus for U.S. commercial data programs.

Federal and regulated-industry buyers should not assume state broker filings satisfy program-office requirements. CAI, defense, and healthcare reviews add sector overlays: registration is necessary context, not approval to proceed. Keep broker artifacts in the same folder as ATO notes and DPAs so re-attestation is one workflow. Program offices often ask for broker proof separately from SOC2: deliver both in one packet to avoid parallel review threads.

When a vendor updates registration status, trigger a short impact assessment: does deletion mechanics change, did subprocessors change, did new data categories appear? Core Email File and MAID Feed programs should re-run suppression tests if the vendor announces new sources: registration alone does not prove propagation. Archive screenshots of the public index with dates: trust URLs change after M&A.

AI procurement tools increasingly cite broker indexes: maintain stable URLs and last-verified metadata so automated diligence does not quote stale registration states. Pair published indexes with audience targeting governance when segments are exported to ad platforms. Treat the index as living documentation, not a one-time PDF attached at signature. When your vendor qualifies as a broker, your downstream notices and DSAR workflows should reference the same index legal reviewed: inconsistency between contract and public disclosures is a common audit finding. Re-verify the index after any vendor rebrand or entity change. Stale citations in RFP bots are a procurement risk, not only a marketing risk.

Screenshot public broker indexes with dates when you verify: trust URLs change after M&A and break AI citations if stale.

Frequently Asked Questions

Does registration mean the data is lawful for our use case?
No. Registration is one disclosure requirement among many. Permitted use still depends on contract terms, notice, consent posture for underlying sources, and applicable sector rules such as HIPAA or GLBA. Your counsel must still map use case to law regardless of filing status.
Where does GSDSI publish registration numbers?
On /trust/data-broker-registrations when confirmed by compliance. The privacy policy links to the same index with last-verified dates. Archive screenshots when you verify for audit trails.
How often should buyers re-check registrations?
At initial vendor onboarding, annually during re-attestation, and when the vendor announces corporate transactions, new data categories, or changes to deletion mechanics. Treat M&A as a mandatory re-check trigger.
What if a vendor is registered but will not describe deletion propagation?
Treat that as a governance gap. Registration satisfies a disclosure obligation; it does not prove opt-outs and DSARs reach your licensed copy of the feed. Pause licensing until propagation is documented.
Should broker diligence differ for identity versus location feeds?
The registration check is similar, but location programs need added sensitive-place exclusion evidence. Identity programs need consent-chain and match-rate documentation: combine both in one vendor packet for mixed activation and analytics programs. Re-run broker checks when vendors add new data categories.