Lead-Gen Compliance · 2026

The Lead Everyone Touches: Data-Broker Rules and the Consent Record That Travels With It

A single lead passes through generators, sellers, and buyers. New data-broker laws now land on all three, and one record protects the whole chain.

Performance MarketingData-Broker Laws9 min read
TL;DR

Data-broker registration laws in California, Texas, Oregon, and Vermont now reach the performance marketing chain. They apply to anyone who sells data about consumers they have no direct relationship with, which pulls in lead sellers, aggregators, and co-reg brokers. The through-line for generators, sellers, and end buyers is the same session-level consent record: what disclosure rendered, the affirmative click, timestamp, device, and IP. Capture it at the source and the whole chain is defensible.

Picture this: a consumer fills out a form on a solar landing page at 9:14 on a Tuesday night. By Wednesday morning that lead has been scored, bundled with two hundred others, sold to an aggregator, resold to a regional installer, and dialed twice. Four different companies touched that person’s data before lunch. Now a data-broker regulator asks a simple question about one of them: who sold information about a consumer they never actually met, and can they prove how they got it? Suddenly the whole chain is looking for the same thing, the record of what that consumer saw and agreed to.

One lead, three roles, three kinds of risk

In the performance marketing world, a lead is never handled by just one business. It moves. And the new wave of data-broker registration laws now touches every hand it passes through. If you generate, sell, or buy leads, this is your compliance story, not someone else’s.

Start by naming the three roles, because the rules hit each one differently.

  • The generator. This is the publisher, affiliate, or advertiser who captures the consumer directly on a landing page or web form. You built the offer, you ran the traffic, the consumer typed their details into your page.
  • The seller or aggregator. This is the business that buys leads, bundles them, and resells them, sometimes several times. Often you never interact with the consumer at all. You are moving data about people you have never met.
  • The end buyer. This is the home-service company in solar, roofing, HVAC, mortgage, or insurance who buys the lead to call or text it. Your exposure is the phone: whether the consumer actually consented to be contacted, and whether you can prove it if a TCPA complaint lands.

Three roles, three flavors of risk. The generator worries about whether the consent it is passing downstream is real and reproducible. The aggregator worries about whether reselling data makes it a registrable data broker. The end buyer worries about dialing a number that never truly opted in. Here is the part most operators miss: all three worries resolve to the same piece of evidence.

4
States with data-broker registries (CA, TX, OR, VT)
$500/day
Oregon penalty for failing to register
100+
Companies the Texas AG has notified for non-registration

Who counts as a data broker now

The word “data broker” sounds like it belongs to giant list companies, and many operators assume it does not describe them. That assumption is where the trouble starts.

Across the state laws, the definition turns on one line: a data broker is a business that knowingly sells or licenses personal information about consumers with whom it has no direct relationship. Read that carefully, because the “direct relationship” test is what sorts the performance marketing chain into who has to register and who does not.

A generator who collects a consumer’s information directly through its own form usually has a direct relationship with that person. That is often outside the core data-broker definition, though it does not remove your consent obligations. The moment data changes hands to a party the consumer never interacted with, the picture changes. List brokers, co-registration aggregators, and lead resellers are the textbook profile of an in-scope data broker, because they trade in information about people they never met.

The gray zone is real. Whether a specific lead-gen arrangement creates a “direct relationship” is fact-dependent, and it is exactly the kind of question a regulator will probe. The safest position is not to guess. It is to hold a clear record of how each consumer’s data was collected and moved, so you can answer the question with evidence instead of an argument.

This matters because you do not get to self-certify your way out. If you sell or license consumer data and cannot show the direct relationship, you may owe a registration you never filed, in states you never thought applied to you.

The state map: California, Texas, Oregon, Vermont

Four states now run data-broker registries, and the three beyond California have quietly become an enforcement pressure point. The mechanics differ, so know the one that reaches your data.

State What it requires Teeth
CaliforniaRegister annually with CalPrivacy under the Delete Act; honor deletion via DROP starting Aug 1, 2026$200/day for late registration, plus a “Data Broker Strike Force”
TexasRegister before operating; post a clear website statement identifying yourself as a data broker$100/day, capped at $10,000 per 12 months, plus unpaid fees
OregonRegister with the Department of Consumer and Business Services; renew annually$500/day, capped at $10,000 per calendar year
VermontRegister annually; disclose collection practices and opt-out mechanicsEnforcement by the state; the original US data-broker registry

The Texas Attorney General has already notified more than a hundred companies that failed to register, so this is not a theoretical regime waiting to switch on. It is live. And Texas adds a wrinkle the others do not: you have to publicly label yourself a data broker on your own site, which is an awkward disclosure for a business that markets itself as a growth partner.

California deserves its own line. The DROP Act, short for the Delete Request and Opt-out Platform, is the deletion engine built under California’s Delete Act. Registered data brokers must begin honoring consumer deletion requests through DROP starting August 1, 2026, retrieving new requests at least every 45 days. We covered DROP in depth in our breakdown of the California DROP Act, and it remains a genuinely noteworthy obligation. If you touch data about California consumers you have no direct relationship with, registration is step one and honoring DROP deletions is step two. Neither goes away because your business calls itself performance marketing.

The regulator’s question is never “what does your pitch deck say you do?” It is “show me how you got this person’s data, and show me they agreed.”

The common thread: one consent record

Here is where the three roles collapse into one problem. Whether you are trying to prove a direct relationship, honor a deletion request, document a lead’s lineage, or defend a TCPA claim on the calling end, you are reaching for the same artifact. Not a spreadsheet cell that says “consented: yes.” The actual session-level record of the interaction as it was rendered to that specific consumer.

That record has a handful of parts, and each one answers a question a regulator or plaintiff’s lawyer will ask:

  • The rendered disclosure. Which exact version of the consent language and partner list appeared on the page that consumer saw, not the version live on the site today.
  • The affirmative action. The checkbox or click the consumer actually made, tied to that disclosure.
  • A tamper-evident timestamp. When it happened, in a form that cannot be quietly backdated.
  • Device and IP. The context that ties the event to a real session rather than a reconstructed claim.
  • The page and path. Where the consumer was and how the data was set to move next.

Give a generator that record and it can prove the consent it passes downstream is real. Give a seller that record and it can document the lineage behind a resold lead instead of shrugging when asked where the data came from. Give an end buyer that record and it can verify a lead before paying and before dialing, rather than discovering the consent was thin after a class action names them. One record, three problems solved.

This is the difference between defending a policy and defending a contract. A lead vendor’s assurance that “these are all TCPA-compliant, fully consented leads” is a policy. A reproducible record of what the consumer saw and clicked is closer to a contract. When money and liability are on the line, one of those holds up and the other does not.

What to do before the next notice letter

You cannot control which state writes to you first, but you can control whether you have an answer ready. A practical sequence, whichever role you play:

  • Map your role on every data flow. For each stream of leads, write down whether you are the generator, the seller, or the buyer, and whether you have a direct relationship with the consumer. Ambiguity is where registrable status hides.
  • Check the four registries against your footprint. If you sell or license data touching California, Texas, Oregon, or Vermont residents without a direct relationship, price in registration now rather than after a penalty clock has started.
  • Fix the record at the source. Consent captured at the moment of generation travels with the lead. Consent reconstructed after a complaint rarely survives scrutiny. Capture the rendered page, the click, the timestamp, the device, and the IP when the lead is born.
  • Make verification a purchase condition. If you buy leads, require a reproducible consent record as part of the deal, not a checkbox in a spreadsheet. The vendor who can produce it is the vendor worth paying.
The Missing Piece

Most operators in the lead chain treat data-broker registration and TCPA consent as two separate compliance projects owned by two different people. They are not. They are two views of one record. The business that captures a clean, session-level consent record at the point of generation is simultaneously building its registration defense, its DROP audit trail, and its TCPA proof. The business that skips it is exposed on all three fronts and usually does not find out until a notice letter or a complaint tells it so.

To be clear about the boundary: capturing that record is not the same as filing your registration. Evidora does not register you as a data broker and does not run your DROP deletions. Those obligations stay with you, and the California DROP Act in particular is worth reading closely if any of your data touches California. What a captured record does is give every one of those obligations an evidentiary spine, so when you do register, respond, or defend, you are working from proof instead of memory. Evidence as infrastructure, sitting quietly underneath the compliance you still have to own.

Frequently asked questions

Does a data-broker law apply to me if I generate or buy leads?

It can. The registration laws in California, Texas, Oregon, and Vermont turn on whether you knowingly sell personal information about consumers with whom you have no direct relationship. A publisher who collects a lead directly usually has that direct relationship, but list brokers, co-registration aggregators, and resellers who move data about people they never interacted with are squarely in scope and may have to register.

What is the difference between a lead generator, a lead seller, and an end buyer under these rules?

A generator captures the consumer directly through a form or landing page. A seller or aggregator buys, bundles, and resells that data, often without any direct consumer relationship, which is the classic data-broker profile. An end buyer, such as a home-service company, purchases the lead to call or text it and carries TCPA exposure. Each role has different obligations, but all three depend on the same underlying consent record.

What are the penalties for failing to register as a data broker?

Texas can assess $100 per day for failure to register, capped at $10,000 in any 12-month period, plus unpaid fees. Oregon can assess $500 per day, capped at $10,000 per calendar year. California charges $200 per day under the Delete Act. Texas also requires a data broker to post a clear statement on its website identifying itself as one.

What is the California DROP Act and does it affect lead buyers?

DROP is the Delete Request and Opt-out Platform built under California’s Delete Act. Registered data brokers must begin honoring consumer deletion requests through DROP starting August 1, 2026, retrieving requests at least every 45 days. If you handle data about California consumers you have no direct relationship with, DROP is a separate, still-noteworthy obligation on top of registration.

Does Evidora register me as a data broker or run my DROP deletions?

No. Evidora does not file your registration or process your deletion requests. Those remain your obligation. What Evidora does is capture the session-level consent record and its lineage at the moment a lead is generated, which is the audit spine that proves what consent was obtained, on what page, when, and how the data moved down the chain.

What consent record actually protects a lead across the whole chain?

A session-level record of the interaction as it was rendered to the specific consumer: the exact disclosure version shown, the affirmative click or checkbox, a tamper-evident timestamp, the device, the IP address, and the page URL. That single record is what lets a generator prove valid consent, a seller document lineage, and an end buyer verify a lead before paying and before dialing.

Turn every lead-form interaction into a defensible record

Evidora captures court-ready evidence of every form interaction. One line of code. Retain what matters, expire what does not, and produce a reproduction when a regulator or a complaint asks how you got the data.

See how it works →
Selling Leads Is Getting Tricky
Scroll to top