[UPDATED] The Data Brokers Selling US Data to Foreign Actors, According to California

Update 3/27, 10:30 a.m. ET: Following publication, seven of the 33 data brokers named in this post contacted EPIC and represented that they do not in fact sell or share data with “foreign actor[s]” within the meaning of the California Delete Act (North Korea, China, Russia, or Iran) and that the self-reported information in the California registry contains inaccuracies about their brokerage activities. These seven brokers are AggKnowledge Inc.; Bachmanity, Inc. DBA: Aviato; Clay Labs, Inc.; Command Precision Inc. DBA: Persistent.id; Irys, Inc.; Media.net Advertising FZ-LLC; and Warmly, Inc. One broker, Media.net Advertising FZ-LLC, also stated that it does not in fact collect precise geolocation data.

Many of the brokers mentioned in the original post, however, have not reached out disputing the self-reported information.

As noted, the information contained in California’s registry is provided by data brokers themselves. The apparent inaccuracy of registry entries for at least seven of those brokers underscores three important points. First, data brokers must take seriously their legal obligation to accurately disclose and describe their activities to California and other jurisdictions that regulate brokers.

Second, CalPrivacy and other regulators should not treat information self-reported by brokers as ground truth, as errors and omissions can cloud the picture of how, by whom, and to whom personal data is being trafficked for commercial gain. Data broker registries must, at a minimum, be paired with robust oversight and enforcement.

And third, the number of brokers that may have incorrectly reported their activities to California underscores a possibility: in addition to brokers that say they erroneously reported that they did sell data to “foreign actors” under California’s law, it is also possible that there are data brokers that erroneously reported that they did not sell data to said “foreign actors” when they in fact did so. This risk again speaks to the above two points about the importance of accurate, precise filings and legal compliance as well as robust enforcement.

Original post: On March 24, California released an updated registry of data brokers—companies in the business of collecting, inferring, aggregating, and selling people’s data. The 2026 California data broker registry includes data brokers that were operating in the state in 2025. It’s the latest annual update of the state’s public-facing, freely accessible, and searchable database of the third-party data brokers (those without a direct consumer relationship) selling categories of Californians’ data that are covered under state privacy laws.

Except with this update, there are a few catches—including the revelation that 33 California-registered data brokers reported selling data to or sharing data with, at least in 2025 (and potentially in 2026), non-US actors in North Korea, China, Russia, and/or Iran. Five of these data brokers that reportedly sold or shared data with foreign actors in 2025 even reported collecting precise geolocation data.

Data brokers’ business practices are already predatory and problematic, fundamentally premised on the collection and aggregation of people’s data that they received no fully informed, freely given, meaningful consent to collect, infer, aggregate, or sell in the first place. Selling to US actors alone, data brokers have for decades catalyzed stalking and gendered violence by selling people’s home address and other data to abusive individuals looking to commit harm; fueled data-driven scams, such as the mass distribution of bogus lottery offers to older Americans and other people in vulnerable positions; and even more recently contributed to violence against public servants in much the same way as they have for years in the stalking and gendered violence context.

But it’s also true that data brokers selling US data presents risks to national security—not only because of how those vast repositories of data can be particularly attractive targets for hackers, but also because they could sell sensitive data on US government personnel, US government locations, or the US public writ large to US foreign adversaries. At least 33 California-registered data brokers stating that they sold data to or shared data with US foreign adversary countries (“foreign actors,” in the registry’s label, defined more below) in 2025 underscores the urgency of a systemic legal and regulatory approach to reigning in the out-of-control data sale industry.

The 33 Data Brokers In Question

Under the Delete Act (aka California SB-361), now in law, a “foreign actor” is defined as either “the government of a foreign adversary country” or “a partnership, association, corporation, organization, or other combination of persons organized under the laws of or having its principal place of business in a foreign adversary country.” The term “foreign actor” is defined in the same way as “covered nation” in 10 U.S. Code § 4872—that is, North Korea, China, Russia, or Iran.

Below are the 33 data brokers that told California that they sold data to or shared data with foreign actors in 2025, including the type of data they collect along with other categories of entities to whom the brokers report having sold Californians’ covered data or report having shared Californians’ data with. Almost every single data broker in question—32 out of the 33—collects Californians’ personal information in conjunction with device IDs. Five collect Californians’ precise geolocation data. 

Data Broker Name	Website	Data Collection Includes	Data Sold/Shared To
AggKnowledge Inc.	aggknowledge.ai	Personal Info + Device IDs	Foreign Actor
Asset International, Inc.	issmarketintelligence.com	Gender Identity; Personal Info + Device IDs	Foreign Actor; Federal Government
Bachmanity, Inc.DBA: Aviato	aviato.co	Personal Info + Device IDs	Foreign Actor
CisionDBA: Cision	cision.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments
ClarivateDBA: Clarivate	clarivate.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments
Clay Labs, Inc.	clay.com	Account Logins; Personal Info + Device IDs	Foreign Actor; GenAI Developer
Command Precision Inc.DBA: Persistent.id	Persistent.id	Personal Info + Device IDs	Foreign Actor
CoStar Realty Information, Inc.	costar.com	Precise Geolocation; Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments
Crimson HexagonDBA: Brandwatch	brandwatch.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments; Law Enforcement; GenAI Developer
DR Decision Resources, LLC	clarivate.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments
Effyis, Inc.DBA: Socialgist; Boardreader	socialgist.ai	—	Foreign Actor; GenAI Developer
Epsilon Data Management, LLC	epsilon.com	Reproductive Health; Personal Info + Device IDs	Foreign Actor
Healthcare IncDBA: Healthcare.com	healthcare.com pivothealth.com	Gender Identity; Precise Geolocation; Personal Info + Device IDs	Foreign Actor
HubSpot, Inc.	hubspot.com clearbit.com	Personal Info + Device IDs	Foreign Actor; State Governments
Hunter Web Services, Inc	hunter.io	Personal Info + Device IDs	Foreign Actor
Institutional Shareholder Services Inc.	issgovernance.com	Sexual Orientation; Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments
Irys, Inc	irys.us	Precise Geolocation; Personal Info + Device IDs	Foreign Actor
L.S Mobile Apps Holdings LTD	lsmapps.com	Personal Info + Device IDs	Foreign Actor
LightBox Parent, L.P.DBA: LightBox Parent, L.P.	lightboxre.com	Personal Info + Device IDs	Foreign Actor
Lightcast, LLCDBA: Economic Modeling; Rhetorik	lightcast.io rhetorik.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments
MaxMind, Inc.DBA: MaxMind	maxmind.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Governments; Law Enforcement; GenAI Developer
Media.net Advertising FZ, LLC	media.net	Precise Geolocation; Personal Info + Device IDs	Foreign Actor
Meltwater News US, Inc.	meltwater.com	Gender Identity; Personal Info + Device IDs	Foreign Actor; Federal Government; State Government; Law Enforcement; GenAI Developer
Moody’s Corporation	moodys.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Government; Law Enforcement; GenAI Developer
Orgio, Inc.DBA: The Org	theorg.com	Gender Identity; Personal Info + Device IDs	Foreign Actor
PitchBook Data Inc	pitchbook.com	Gender Identity; Personal Info + Device IDs	Foreign Actor; Federal Government; State Government; Law Enforcement; GenAI Developer
Preqin Ltd	preqin.com	Personal Info + Device IDs	Foreign Actor; Federal Government; State Government; Law Enforcement
Semcasting, Inc.	semcasting.com	Precise Geolocation; Personal Info + Device IDs	Foreign Actor
Similarweb Ltd.	similarweb.com	IDs / SSN; Citizenship; Gender Identity; Personal Info + Device IDs	Foreign Actor; GenAI Developer
Snovio Inc	snov.io	Personal Info + Device IDs	Foreign Actor
Veeva Systems Inc.DBA: Veeva Systems Inc.	veeva.com	Gender Identity; Personal Info + Device IDs	Foreign Actor
Warmly, Inc.	warmly.ai	Personal Info + Device IDs	Foreign Actor; GenAI Developer
WINR Data	winrdata.com	Gender Identity; Personal Info + Device IDs	Foreign Actor

This is highly concerning both for consumers’ privacy and for US national security. Precise, device-level geolocation data is virtually impossible to meaningfully “anonymize” while still maintaining any degree of utility for analyzing the data (i.e., what a buyer would want), making it seriously risky for national security to have the ability to buy data on the open market about Americans’ movements and about traffic into, out of, around, and within specific US locations (e.g., military bases, government facilities). Look no further than the 2018 Strava scandal to see how geolocation data can expose damaging information to US security, while trampling on the privacy of consumers in the process. Device identifiers, to give another example—a data point reportedly collected by 32 out of the 33 data brokers who asserted selling data to or sharing data with foreign actors, meaning North Korea, China, Russia, and/or Iran—can be used to persistently track consumers across devices and contexts. When it comes to national security, that could mean mapping device movements (in the physical world) over time, pairing up disparate pieces of data to create a more cohesive mosaic of an individual who is trying to hide, or more.

Not to mention, some data brokers on the list particularly stand out, such as Epsilon, which was charged by the Justice Department with conspiracy to commit mail and wire fraud for knowingly, for a decade, selling data on millions of elderly Americans, including people suffering from Alzheimer’s and dementia, to criminal scammers, who then collectively stole millions from those people. (Again, sold knowingly.) This raises serious questions about any such company’s willingness and ability to meaningfully exert control over its data processes and sale pipelines, doubly so when they state that they are selling data to or sharing data with known US foreign adversary countries.

What is unclear from the registry is which data brokers are selling or transmitting precisely which types of datasets to which specific foreign actors. Let alone the fact that it is also unclear, with this limited information, how much data was sold (e.g., volume in terms of number of people whose data was included, volume in terms of how many individual data points were sold per person), over what period(s) of time, containing what explicit individual identifiers, and so forth.

However, what is clear—amid numerous public US government assertions that the sale of Americans’ data by data brokers poses national security risks to the country; studies and other work on the national security threats; even sketchy data broker ownership ties, in some cases, to US adversary nations—is that this activity demands further investigation.

What Could Happen Next?

There are at least a few possible next steps that could occur to further investigate this California-mandated reporting and take further action to rein in the out-of-control data broker industry.

First, the Federal Trade Commission (FTC) could exercise its authority under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) to investigate these data brokers that have asserted to California that they sell data to or share data with foreign actors as defined under California law. How does PADFAA define foreign actors, you might ask? Exactly how California law does—10 U.S. Code § 4872, or North Korea, Russia, China, and Iran—providing direct overlap in regulatory authority in terms of the end buyers of brokered data whose purchases could be investigated under, and should be limited if not prevented by, the law.

Second, if the Department of Justice had a functioning Data Security Program team, it could similarly investigate these data broker assertions about selling US data to foreign adversaries under EO 14117, the executive order that established the bulk data transfer/data brokerage and national security program at the Justice Department. Akin to California’s authority under the Delete Act and the FTC’s authority under PADFAA, the DOJ Data Security Program would have some overlap in authority over data brokers selling data to US foreign adversaries, because the DOJ program’s list of covered countries also includes North Korea, Russia, China, and Iran (plus Cuba and Venezuela). Like many other federal agencies, the DOJ Data Security Program team has unfortunately been gutted in recent months. However, it still has the authority to act and could do so if appropriately staffed and resourced to combat data broker- and other data-driven threats to national security.

Third, it is possible that California investigates these companies itself. The Delete Act, to be clear, requires that third-party data brokers under California law must disclose any covered data sales to the four foreign countries, but does not prohibit them from engaging in that activity per se. At the same time, however, California has documented statements from 33 data brokers that they sold Californians’ data to or shared it with, at least in 2025 and possibly in 2026, US foreign adversary countries. It is possible that California could investigate (or other states could similarly use these statements as a basis to investigate) how those reported sales or transfers occurred, what data was involved, and the extent to which those activities may have violated other legal and regulatory requirements, such as around unfair business practices or around failing to obtain the necessary chains of consent to be able to process or sell consumers’ data. For example, California’s general consumer protection laws related to businesses’ unfair or deceptive acts or practices could be used to enforce against data-driven harms, including insofar as transferring Americans’ data to US foreign adversaries defies consumers’ expectations (and very likely, wishes) for how their data is used. 

Fourth, it is possible that plaintiffs’ firms will get involved. Drawing on PADFAA and the DOJ Data Security Program, firms could argue that these sales violate Americans’ privacy rights and pose threats to national security by making Americans’ data available and selling it to US foreign adversary countries.

And fifth, Congress and/or state legislatures could pass more laws to deal with this problem. There are already two federal programs to start to deal with a slice (albeit an important slice) of the risks that data brokers pose to US national security by amassing and then selling consumers’ data, including at elevated degrees of precision and reidentifiability. It is possible—one would need more information to know for sure—that these data broker activities, as far as they have represented them to California in the 2026 state registry, could violate existing laws or regulations depending on their specifics. But that would depend on whether or not the data sales or transfers that the 33 brokers reported for 2025 (and could still be happening in 2026) meet the criteria under those programs, such as crossing the numeric thresholds that the DOJ program sets. In that program, for example, covered data brokers selling data on Americans writ large can sell more health data to an adversary country than they can genetic data (the genetic data threshold is much lower)—and if the data is explicitly tied to, say, US military or government personnel, then the restrictions might kick in regardless of the number of personnel whose data is involved.

All to say, while these are important federal programs, there is still much more work to be done to more comprehensively protect consumers from data brokers. Whack-a-mole will not suffice to deal with a multi-billion-dollar industry that actively harms people by selling data, in different parts and in different ways, to buyers ranging from abusive individuals to scammers of the elderly to, evidently, US foreign adversaries. If data brokers can’t collect and sell people’s information in the first place (especially without their consent), then North Korea, China, Russia, or Iran have nothing to buy.