MARI × California Data Broker Registry

41 of California's 566 registered data brokers,
on your phone.

The CPPA makes every data broker operating in California register annually and file a sworn statement about what they collect and who they sell to. We pulled a small slice of NowSecure MARI and cross-referenced 6,612 mobile apps against that registry. MARI scans thousands of apps per day on an ongoing basis; this post is a sliver of that. Of the forty-one brokers we matched, twenty-four are actively running as SDKs; the rest appear as URL strings baked into binaries.

DW
David Weinstein · CTO, NowSecure
published 2026-04-21
apps in sample
brokers in CPPA registry
matched in our sample
with confirmed SDK activity
Look up any broker

Browse all 566 brokers in the CPPA registry.

Every California-registered data broker, observed in our mobile sample or not. Search by name, DBA, or website. Filter by sensitive-data category or who a broker sold to in the past year. Click any row to see the full disclosure checklist and a link to the broker's consumer-rights portal.

Broker
Observed
Discloses
source: CPPA Data Broker Registry, April 2026
How we did this

What we looked at, and what we didn't.

This is research. Before the findings, the mechanics.

  1. Sample. 6,612 unique apps (2,420 Android / 4,476 iOS), 12,628 scan runs. A narrow slice of MARI's continuous stream; NowSecure scans thousands of apps per day across market-watch programs.
  2. Signal. MARI extracts every hostname observed in each app: hardcoded URLs in the binary, live API calls during analysis, captured network traffic, and pinned certificates. We kept every observation, not just those already on public tracker lists.
  3. Cross-reference. We joined observations against the CPPA Data Broker Registry (566 entries). Matches used primary-website eTLD+1, DBAs, and hand-curated overrides for brokers whose SDKs run on legacy domains (e.g., LiveRamp's rlcdn.com).
The sharp edges

Four stories worth telling.

→ GenAI developer

iSpot.tv

4 apps

iSpot.tv is one of the brokers in our matched set that self-disclosed selling consumer data to a developer of a GenAI system or model in the past year, consistent with their public Sage AI product line. All four of the apps in which we observed iSpot.tv endpoints are active integrations, not just URL references.

minors' data · 163 apps

Comscore

163 apps · 50 more referenced

Comscore self-discloses collecting personal information of minors. We observe their SDK (scorecardresearch.com) actively running in 163 apps, more than any other matched broker in the sample. 77% active-to-referenced ratio.

→foreign · →fed · →LEO · →GenAI

MaxMind

2 apps · all four disclosure flags

MaxMind is the only broker in our matched set that self-disclosed sales to all four of: foreign actors, federal government, law enforcement, and GenAI developers. Tiny mobile footprint in this sample, but the filing itself is the story.

government ID

LiveRamp

31 apps

LiveRamp's mobile SDK surface (rlcdn.com and liadm.com, inherited from acquisitions) is actively running in 31 apps in the sample. LiveRamp self-discloses collection of government-issued identification numbers.

Try it

Search the matched brokers.

Every CPPA-registered broker we observed in the sample, sorted by evidence strength. Click any row to expand it and see the member filings, specific hostnames, and the full disclosure checklist from each broker's CPPA filing. Type to search by broker, app, or host.

Strong

Live endpoint contact, cross-validated by multiple signals (API call + captured traffic, or a pinned certificate). High confidence the broker's SDK is actually running.

Live

The app contacted the broker's endpoint during analysis (API call or captured traffic), but we didn't see the cross-validating signals a "strong" rating needs. Real activity, thinner evidence.

Referenced only

The broker's domain appears as text in the app binary, but we never saw the app call it. Often a privacy-policy URL, deep-link target, or dormant SDK code that didn't fire during our run.

Broker
Active apps
Referenced
Discloses
source: MARI × CPPA registry · 2026-04-21
Not observed live

Registered, but not observed.

Some broker domains appear as text strings inside app binaries, typically in privacy policies, FCRA disclosure links, or deep links to a broker's consumer-rights portal. But we don't observe the apps actually connecting to them. That doesn't mean these brokers don't get data about you. It means they don't get it directly from these apps. They're downstream; they buy from the adtech vendors above.

The brokers below still file sworn statements with the CPPA about what they collect and who they sell to. Those filings are their own disclosures, not inferences from our data.

Limitations

What this does not say.

  1. This is a small, narrow sample. 6,612 apps is a fraction of the mobile ecosystem. NowSecure scans thousands of apps per day on an ongoing basis; this post uses only a sliver of that. Findings describe this sample. A broker's absence here doesn't mean they're absent from the wider mobile ecosystem; a larger sample would almost certainly surface more matches.
  2. URL reference ≠ SDK usage. We separated live contact from "URL in binary" for exactly this reason. Even live contact during analysis doesn't prove personal-data transmission. MARI sees endpoints, not payload semantics.
  3. Filings are self-disclosed. CPPA disclosures are sworn statements by the brokers themselves. We're surfacing them verbatim; we didn't independently verify them.
  4. Mobile is one channel. Brokers receive data from many places: ad exchanges, website cookies, offline data, purchased feeds. Absence from mobile endpoints is not absolution.
  5. Corporate structure lags filings. Example: Tapad's CPPA filing lists Experian as its website, but TransUnion acquired Tapad in 2020. M&A moves faster than registry updates.
  6. eTLD+1 matching is naive. Brokers whose SDK endpoints sit on unrelated domains won't match automatically. We added manual overrides for known cases (LiveRamp, Nielsen, Comscore); there are surely more.

Want the sample or want to run this for your apps?

NowSecure continuously analyzes the binaries teams ship and the ones your users trust you with. If you want to know which data brokers are reachable from your mobile attack surface, we'll run the query.

Talk to NowSecure → Explore MARI