The compliance trap in lead-generation services
This article outlines key considerations for U.S.-based companies that offer lead-generation services — i.e., selling lists of contact information for use in marketing or direct outreach.
The compliance trap in lead-generation services
This article outlines key considerations for U.S.-based companies that offer lead-generation services — i.e., selling lists of contact information for use in marketing or direct outreach.
These activities are regulated not only by comprehensive privacy laws but also, because these services involve selling data about individuals with no direct relationship with the company, they also typically trigger obligations under state data broker laws.
Understanding these requirements is essential to avoid significant penalties and operational disruption.
Data broker laws
An increasing number of states — including California, Vermont, Texas and Oregon — have enacted data broker laws, with more states expected to follow. While definitions vary, a “data broker” is generally a business that collects personal information about individuals with whom it has no direct relationship and sells or licenses that information to third parties.
Because lead generation services involve selling personal data about individuals who are not direct customers, most companies offering these services will qualify as data brokers. This classification creates standalone compliance obligations, regardless of where the data originates, and often increases visibility with regulators and plaintiffs’ lawyers.
Core obligations
1. Registration: Many states require annual registration with a designated regulator. Registration fees can be significant — for example, California charges $6,600 annually — and failure to register may result in penalties (e.g., $200 per day and expenses incurred by the California Privacy Protection Agency in administration of registration in California).
2. Transparency: Registration is not a formality. It requires detailed disclosures, including regarding personal information categories, data sources, third-party data recipients and opt-out options. These disclosures are often published in publicly accessible state registries, increasing scrutiny.
3. Data Security: Companies must implement reasonable administrative, technical and physical safeguards to protect personal information. A defensible security program must be risk-based, documented and regularly updated, with clear governance over third-party processors.
4. Consumer Rights: Data brokers must provide mechanisms for individuals to prevent sale of their personal information and request deletion of their data.
Expanded requirements (California and Texas)
California’s “Delete Act,” effective January 2026, introduces additional obligations. Data brokers must participate in a centralized deletion system (DROP), which allows consumers to submit a single request to delete their information across all registered brokers. Companies must check for new deletion requests every 45 days, delete applicable data from their systems, refrain from selling or sharing any new personal information of that consumer, and report compliance to the regulator. Beginning in 2028, data brokers must also undergo independent audits every three years.
Texas also has a unique notice requirement imposed on data brokers who maintain an internet website or mobile application. Companies must post a conspicuous notice on the website or application stating the company is a data broker.
Controller obligations under privacy laws
Privacy laws distinguish between “controllers” and “processors.” By shaping how personal data is used, the company assumes controller responsibilities. For example, companies commonly host and manage the data on their own platforms, define search, filtering and segmentation capabilities and enable customers to identify individuals based on specific criteria.
Key controller obligations include the following: providing clear and accessible privacy notices explaining data practices; enabling consumer rights, including access, correction and deletion; offering opt-outs for certain processing activities, including data sales, targeted advertising and profiling; implementing appropriate technical and organizational security measures; and conducting data protection impact assessments (DPIAs) for higher-risk activities.
Privacy laws define “sale” broadly to include disclosing or making personal information available in exchange for monetary or other valuable consideration. Lead-generation services will almost always meet this definition.
Key requirements
1. Notice of Sale: Companies must disclose their data sale practices, typically through a privacy notice. However, where there is no direct relationship with individuals, relying solely on a website notice may not satisfy regulators.
2. Opt-out Mechanism: Companies must provide a clear and accessible way for individuals to opt out of the sale of their data (e.g., a “Do Not Sell or Share My Personal Information” link). Again, this can be challenging where individuals are unaware of the company’s existence.
3. Data Protection Impact Assessments (DPIAs): DPIAs evaluate the purpose, risks and safeguards associated with processing. While usually internal, they must be available to regulators upon request.
4. Consumer Request Processes: Companies must maintain reliable, tested processes for responding to consumer rights requests within required timeframes.
Profiling
Profiling is generally defined as automated processing used to evaluate or predict aspects of an individual’s behavior, preferences or characteristics. Lead-generation services may constitute profiling where they allow users to filter or segment individuals based on marketing criteria.
Even basic data organization — such as enabling targeted searches based on inferred interests — may qualify as profiling under certain privacy laws.
If profiling is involved, companies must provide notice of profiling activities, offer consumers the ability to opt out and conduct DPIAs to assess associated risks.
As with data sales, these requirements are more difficult to satisfy where the company lacks a direct relationship with individuals.
Key takeaways and recommendations
Offering lead-generation services triggers overlapping obligations under data broker laws and privacy laws. These obligations can be complex to operationalize, especially when individuals are unaware that their data is being processed.
Additionally, data broker registration and related disclosures can increase regulatory scrutiny and litigation risk.
Practical steps to mitigate risk include:
Update privacy notices to clearly describe lead generation and data sale practices.
Implement opt-out mechanisms for both data sales and profiling.
Conduct DPIAs for high-risk processing activities.
Register as a data broker in applicable states before launching services.
Comply with California’s DROP requirements and similar emerging frameworks.
Establish consumer request processes to ensure timely and accurate responses.
Update terms of service to allocate risk appropriately, including indemnification provisions.
Lead-generation services create overlapping obligations under U.S. privacy laws. Companies should take a proactive approach to compliance.
McLane Middleton’s Cybersecurity and Privacy team helps clients build practical, regulator-ready compliance programs. Contact us to learn more.
Alex Intile is counsel in McLane Middleton’s Cybersecurity and Privacy group, and can be reached at alex.intile@mclane.com. Katarina Overberg is a member of McLane Middleton’s Cybersecurity and Privacy Group, and can be reached at katarina.overberg@mclane.com. Muhammad Usman is a member of McLane Middleton’s Cybersecurity and Privacy Group, and can be reached at muhammad.usman@mclane.com.
