Privacy Law Exemptions Often Let Data Brokers Off the Hook. EPIC’s New White Paper Provides Recommendations to Fill the Gaps.

Today, EPIC published Unbridled and Underregulated: Removing FCRA and GLBA Exemptions from Privacy Laws to Hold Data Brokers Accountable, a white paper by EPIC Law Fellow Caroline Kraczon and EPIC Scholar in Residence Justin Sherman. The paper shows that many state privacy laws include exemptions for data or entities covered by the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA). These exemptions can let data brokers partly off the hook and allow privacy-invasive and harmful data broker activities to go unregulated. The paper compares the consumer rights and protections included in the FCRA, the GLBA, and state privacy laws, evaluates the negative incentives created by the current legislative and regulatory structure governing data brokers, and provides recommendations for policymakers to better protect consumers from data broker-caused harm. 

What are data brokers? 

Data brokers are companies that collect, aggregate, package, and sell huge volumes of our personal data, often without having any direct relationship with consumers. Most consumers are familiar with consumer reporting agencies (CRAs), which are data brokers that sell “credit reports” and “credit scores” on people to lenders, landlords, and other purchasers. CRAs include nationwide credit reporting companies like Equifax, TransUnion, and Experian, as well as specialty CRAs, which sell credit reports for specific purposes like employment background checks, subprime lending, tenant screening, and medical insurance underwriting. 

But CRAs often sell personal information that goes far beyond credit information, including data on purchases, browsing histories, network data, geolocation data, and inferred preference and characteristic data on hundreds of millions of U.S. persons.  

Based on their privacy policies, Equifax, Experian, and TransUnion reserve the right to sell or share the following types of data: 

Data Type	Equifax — Sold or Shared?	Experian — Sold or Shared?	TransUnion — Sold or Shared?
Personal identifiers	YES	YES	YES
Demographic information	YES	YES	YES
Commercial transaction data	YES	YES	YES
Internet or other network activity	YES	YES	YES
Professional or employment data	YES	YES	YES
Geolocation data	YES	YES	YES
Education data	YES	YES	NO

Federal Privacy Laws Governing CRAs 

Data brokerage is an alarmingly unregulated industry. Among the few laws and regulations that apply to many data brokers are the FCRA and the GLBA, which both provide privacy protections in the financial sector and in other situations in which financial information is used, such as tenant screening. 

Our paper details the privacy protections and consumer rights afforded by the FCRA and the GLBA and discusses how some data brokers, but not all, fall within the scope of either or both of these laws. Ambiguities in the current regulatory landscape have afforded some companies the space to speciously claim that they are not subject to the FCRA or the GLBA, either by mischaracterizing their own data activities or posting boilerplate language on their websites to the effect of “do not use this data for credit reporting purposes as defined under the FCRA.”  

As our paper discusses, data brokers should not be able to avoid FCRA or GLBA coverage simply by including a disclaimer on their website. Yet many brokers rely on the conceit that data purchasers will adhere to their disclaimers, which often means (as a practical matter) that consumers aren’t afforded the rights promised to them by law. Thanks to these loopholes, brokers end up inflicting the very harms that the FCRA and the GLBA are designed to prevent. 

State Privacy Laws 

As of July 1, 2025, 19 states have passed general privacy laws. These laws provide consumers with more transparency into how companies collect, use, and share their personal data. The laws also give consumers more control over their personal data—though without additional privacy obligations for businesses, that control puts the onus on consumers to take action.  

All 19 of the general state privacy laws that have passed as of July 1, 2025 include exemptions for data or entities regulated by the FCRA and the GLBA. All of the FCRA exemption provisions are “data-level” exemptions rather than “entity-level” exemptions, meaning that each exemption only applies to activities regulated and authorized by the FCRA rather than to an entire entity. All 19 general state privacy laws also include an exemption for GLBA-covered data, and every state except California, Connecticut, Minnesota, Montana, and Oregon also includes a GLBA entity-level exemption. In the 14 states with entity-level GLBA exemptions, a company is exempt from the state privacy law if any portion of its business or activities are covered by the GLBA. 

The table below shows that every general state privacy law includes an FCRA and GLBA data-level exemption, and that most states also exempt GLBA-covered entities entirely. The provisions providing those exemptions are included in the table below. 

General State Privacy Law FCRA and GLBA Exemptions 

State	FCRA Data-Level Exemption	GLBA Data-Level Exemption	GLBA Entity-Level Exemption	FCRA Exemption Citation	GLBA Exemption Citation
California	X	X		Cal. Civ. Code § 1798.145(d)	Cal. Civ. Code § 1798.145(e)
Colorado	X	X	X	Colo. Rev. Stat. § 6-1-1304(2)(i)(II)	Colo. Rev. Stat. § 6-1-1304(2)(j)(II), (2)(q)
Connecticut	X	X		Conn. Gen. Stat. § 42-517(b)(11)	Conn. Gen. Stat. § 42-517(a)(6)
Delaware	X	X	X	6 Del. Code § 12D-103(c)(7)	6 Del. Code § 12D-103(b)(2), (c)(14)
Indiana	X	X	X	Ind. Code § 24-15-1-2(9)	Ind. Code § 24-15-1-1(b)(2)
Iowa	X	X	X	Iowa Code § 715D.2(3)(m)	Iowa Code § 715D.2(2)
Kentucky	X	X	X	Ky. Rev. Stat. § 367.3613(3)(j)	Ky. Rev. Stat. § 367.3613(2)(b)
Maryland	X	X	X	Md. Code, Com. Law § 14-4603(b)(7)	Md. Code, Com. Law § 14-4603(a)(3)
Minnesota	X	X		Minn. Stat. § 325O.03(2)(a)(8)	Minn. Stat. § 325O.03(2)(a)(9), (2)(a)(16)
Montana	X	X		Mont. Code § 30-14-2804(2)(k)	Mont. Code § 30-14-2804(1)(e)
Nebraska	X	X	X	Neb. Rev. Stat. § 87-1104(11)	Neb. Rev. Stat. § 87-1103(2)(b)
New Hampshire	X	X	X	N.H. Rev. Stat. § 507-H:3(II)(k)	N.H. Rev. Stat. § 507-H:3(I)(e)
New Jersey	X	X	X	N.J. Stat. § 56:8-166.13(f)	N.J. Stat. § 56:8-166.13(b)
Oregon	X	X		Or. Rev. Stat. § 646A.572(2)(j)	Or. Rev. Stat. § 646A.572(2)(k)(A), (2)(l)
Rhode Island	X	X	X	R.I. Gen. Laws § 6-48.1-3(e)(11)	R.I. Gen. Laws § 6-48.1-10(a)
Tennessee	X	X	X	Tenn. Code Sec. 47-18-3210(a)(16)	Tenn. Code Sec. 47-18-3210(a)(2)
Texas	X	X	X	Tex. Bus. & Com. Code § 541.003(11)	Tex. Bus. & Com. Code § 541.002(b)(2)
Utah	X	X	X	Utah Code § 13-61-102(j)(i)(C)	Utah Code § 13-61-102(2)(k)
Virginia	X	X	X	Va. Code § 59.1-576(C)(10)	Va. Code § 59.1-576(B)

Four states—California, Vermont, Texas, and Oregon—have also passed data broker registry laws. Though these laws differ in scope, they generally require third-party data brokers (i.e., companies selling personal data that they did not collect from their own customers or users) to register with a state agency; to allow consumers to request that data brokers delete their data or stop collecting and selling their data; and to comply with data security requirements. The table below includes FCRA and GLBA exemptions in state data broker registry laws. 

State Data Broker Registry Laws’ FCRA & GLBA Exemptions 

State	Law	FCRA Exemption Language	GLBA Exemption Language
California	Delete Act Sec. 1(c)	“An entity to the extent that it is covered by the federal Fair Credit Reporting Act”	“An entity to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.”
Vermont	Data Broker Act	No exemption	No exemption
Texas	Data Broker Act Sec. 509.003(b)	“A consumer reporting agency or other person or entity that furnishes information for inclusion in a consumer credit report or obtains a consumer credit report, but only to the extent the person or entity engages in activity regulated or authorized by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.), including the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”	“A financial institution subject to Title V, Gramm-Leach-Bliley Act”
Oregon	HB 2052 Sec. 1(c)(B)	“A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), a person that furnishes information to a consumer reporting agency, as provided in 15 U.S.C. 1681s-2, or a user of a consumer report, as defined in 15 U.S.C. 1681a(d), to the extent that the consumer reporting agency, the person that furnishes information to a consumer reporting agency or the user of a consumer report engages in activities that are subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.”	“A financial institution, an affiliate or a nonaffiliated third party, as those terms are defined in 15 U.S.C. 6809, to the extent that the financial institution, affiliate or nonaffiliated third party engages in activities that are subject to regulation under Title V of the GrammLeach-Bliley Act, 15 U.S.C. 6801 to 6809, and regulations adopted under Title V of the Gramm-Leach-Bliley Act.”

Comparing Consumer Rights 

When a state-level privacy law includes an exemption for data or entities regulated by another law, the other law should provide similar or more stringent privacy protections, especially when the other law covers sensitive personal information. Our paper covers the consumer rights afforded by each of the laws in greater detail, but the table below demonstrates some of the important differences between the respective protections and rights afforded to individuals. 

Consumer Data Rights in the FCRA vs. the GLBA vs. General State Privacy Laws 

Type of Consumer Right	The FCRA	The GLBA	General State Privacy Laws
Limitations on third-party access to data	Entities covered by the FCRA may only disclose data contained in credit reports if they have a permissible purpose to do so. Consumers also have the right to place a credit freeze on reports from the “nationwide” consumer reporting agencies, which prohibits them from releasing information in consumers’ credit reports without their permission.	A financial institution must provide notice and an opportunity to opt out before sharing nonpublic financial information with nonaffliated third parties, subject to a number of exceptions.	All general state privacy laws allow consumers to opt out of the sale of their personal data.
Right to delete or correct data	The FCRA requires CRAs to correct or delete inaccurate, incomplete, or unverifiable information, and consumers have the right to dispute incomplete or inaccurate information.	Not included.	All general state privacy laws give consumers the right to request that businesses delete their personal information.
Right of access	The FCRA gives consumers the right to know what is in their file and to request their credit score.	Not included.	All general state privacy laws give consumers the right to ask businesses if they have collected their information and request a description of the types of data collected or obtain the collected data entirely.
Right of portability	Not included.	Not included.	All general state privacy laws give consumers the right to request their data from businesses so that consumers can switch to other providers.
Notice and transparency	CRAs must tell consumers if information in their credit file has been used against them, and consumers have the right to access their credit file.	Financial institutions must provide privacy and opt-out notices to consumers, subject to a number of exceptions.	All general state privacy laws require businesses to provide notice to consumers about certain data practices and privacy programs.

The GLBA and the FCRA do not provide the same privacy protections and consumer rights as state privacy laws currently in effect in many states. States unduly limit privacy protections for their constituents when they exempt GLBA- or FCRA-covered data or entities, which include entities that engage in the collection and sale of personal information on a massive scale. Individuals deserve the same protections for personal data held by entities covered by the GLBA or the FCRA as they enjoy for personal data held by other entities. 

Further, our paper emphasizes that policymakers must consider the impact of incentives for data brokers. If general state privacy laws, and even state data broker deletion laws, are not clear about which entities are covered, how state-level coverage relates to federal laws, and the rights that brokers must provide to consumers as a result, there is a greater risk that data brokers will be incentivized to claim (accurately or not) that they are regulated by the FCRA or the GLBA to avoid compliance with a state law. 

Recommendations 

EPIC’s white paper makes the following recommendations for state legislators, members of Congress, and other policymakers: 

1. States with consumer privacy laws should evaluate any potential loopholes in the text and explore new legislation to close these gaps. States should remove GLBA and FCRA data-level or entity-level exemptions from consumer privacy laws so that consumers can both exercise their rights under the GLBA and the FCRA without issue and receive protections against CRAs’ other data activities (like selling demographic data and non GLBA- or FCRA-covered financial data). 
2. Congress and legislatures in states without general consumer privacy laws should pass new laws without entity- or data-level GLBA or FCRA exemptions in the first place. Further, lawmakers should introduce legislation to clarify the coverage of CRAs under the FCRA—and strengthen the rules for consumers.  
3. Lastly, federal agencies such as the CFPB, Federal Trade Commission (FTC) and Department of Justice (DOJ) should use their authority to strengthen rules to protect consumers from data brokers. For example, the CFPB should resuscitate its  “Protecting Americans from Harmful Data Practices” rulemaking. The Bureau’s 2024 proposal would clarify that many data brokers fulfill the definition of CRAs under the FCRA, meaning data brokers that are CRAs must comply with the FCRA. The CFPB and FTC should also bring enforcement actions against data brokers violating the law.