What are data brokers? How they collect and sell your info

Data brokers are companies that collect personal information to sell to companies for research, advertising, and risk assessment. Given that nearly 6 in 10 Americans frequently skip reading privacy policies, you might be unknowingly handing over your information to these businesses.

Let’s explore the types of information data brokers collect, and how you can help protect your privacy.

How do data brokers get your information?

There are several ways that data brokers gain access to your personally identifiable information. One common way is when you accidentally give them your consent. For example, when you sign up for a sweepstakes, free trial, or newsletter, the fine print may state that your information can be shared with “partners” or “third parties.” Those third parties often include data brokers.

Another common way of obtaining information is through web scraping. Data brokers accomplish this using specialized software, cookies, or a simple script. Here are some places where they collect your personal information.

• Public records: Court records, census data, and voter registration are all easy places for data brokers to obtain information like your birth date, political affiliation, and marital status.
• Social media: When you leave your profile public on platforms like Facebook, Instagram, and LinkedIn, data brokers can easily access any info you share, like your employment history and contact details.
• Web browsing activity: Data brokers use web scraping to pull information about your online activities directly from the websites you visit.
• Mobile apps: Your purchase history, credit, and health information can be accessed through your apps, either by using third-party sharing in exchange for free services or app scraping.
• Loyalty programs: When you signed up for that loyalty card, they probably asked you to agree to share purchasing information and other personal details with third-party companies.

What personal information do data brokers collect?

Data brokers collect as much personal information about you as possible. From basic facts like your birth date to detailed info such as your political affiliations or credit history, the goal is to build a complete picture of who you are.

Specific information they look for and collect includes:

• Full name.
• Date of birth.
• Gender and marital status.
• Contact information (e.g., home address, phone number, email address).
• Employment history and job title.
• Household income and property ownership.
• Purchasing behavior and transaction history.
• Web browsing activity and search history.
• Political affiliations or interests.
• Health-related conditions (non-HIPAA data).
• Criminal records or legal filings (if public).
• Vehicle ownership and registration info.
• Credit score range and financial indicators.

How do companies use your data?

From research to advertising, companies purchase your personal data from data brokers for various reasons.

Here are common uses:

• Targeted advertising: Businesses can tailor their advertising to you using your demographic or browsing data.
• Credit and insurance decisions: Your credit history, public records, and other information can be purchased and used to determine your credit and insurance risk.
• Market research and analytics: By studying your purchase history and personal data, marketing departments gain insight into the spending habits of their target customers.
• Political campaigns: By understanding your affiliations, motivations, and principles, political campaigns can tailor their messaging to appeal to you.
• Background checks: Landlords and employers can purchase your information and use it to determine the risk of renting to you or employing you.

Why data brokers pose privacy risks

Data brokers’ access to the personal information of millions of individuals can pose serious security and privacy risks for consumers. Issues like a lack of consent and data misuse can make it easy for your sensitive data to fall into the wrong hands.

Specific privacy concerns include:

• Lack of transparency and consent: Brokers don’t always work directly with the people they’re gathering information about, so there may be little incentive for them to be transparent with you.
• Difficulty opting out: Each data broker has its own, often arduous process for opting out or deleting the info they have on you.
• Potential of data breaches: If data brokers have their database breached, it can expose your information, and you may not be notified of the data breach.
• Increased risk of identity theft: Since there are no federal laws regulating data broker companies, your information could be sold to cybercriminals and used for identity theft purposes.

Examples of data brokers

Selling personal data can be lucrative, hence the large data brokering industry. These companies, which include the three major credit bureaus, can net billions of dollars a year by selling personal information.

Here are just some of the major data broker sites:

• Acxiom: An Arkansas-based company, Acxiom has records on more than 2.6 billion people globally.
• Epsilon: A French-owned company, Epsilon collects consumer data and demographics and has purportedly facilitated $15 trillion in transactions tied to people.
• Experian®: One of the big three credit bureaus, Experian is also a data broker that sells consumer data, contributing to a revenue of billions of dollars annually.
• Equifax®: Another one of the major credit bureaus, Equifax holds consumer credit data for more than 245 million people.
• TransUnion®: The other major credit bureau, TransUnion, holds credit histories for more than 260 million people.
• Cotality: With a focus on the property industry, Cotality holds billions of data points worldwide.
• LexisNexis Risk Solutions: This company is a major data and analytics provider that licenses consumer and public record data to clients in financial services, government, insurance, and healthcare sectors.

Are data brokers legal?

Yes, data brokering is generally legal, though the rules depend on where the broker and consumers are located and how the data is collected. In the U.S., there’s no single federal law regulating data brokers, so oversight is left to individual states. For example, California requires data brokers to register with the California Privacy Protection Agency (CPPA).

Outside the U.S., there are various regulations. Europe’s General Data Protection Regulation (GDPR) governs the collection and transfer of personal data. Countries including China, Brazil, Japan, India, and Canada have introduced similar laws.

Is the U.S. government doing anything to regulate data brokers?

At the federal level, efforts to regulate data brokers have been limited. In June 2024, the Protecting Americans’ Data from Foreign Adversaries Act (PADFA) was enacted to prevent the sale of personally identifiable sensitive data to foreign adversaries. Broader proposals, like the American Data Privacy Protection Act, have failed to pass for multiple reasons, such as conflicts with state legislation.

Meanwhile, many individual states are pushing ahead with their own data privacy measures. Delaware’s Personal Data Privacy Act adds protections around how companies handle personal data, among other rights. Under California’s Delete Act, residents can request that their information be removed from all brokers registered with the CPPA by submitting a single request. To date, 19 states have enacted comprehensive privacy laws.

How to protect your personal information from data brokers

Having your personal information out there for anyone to use can be unsettling, but there are actions you can take to reclaim ownership of your data. Here are five steps you can take to help protect your personal information online.

1. Opt-out of each broker: Learn how to remove yourself from data broker sites by submitting opt-out requests or use a third-party service to speed up the process.
2. Don’t overshare online: When posting online, try to limit the information you share to reduce data exposure.
3. Tighten your privacy settings: Review the privacy settings of your commonly used apps and websites to limit who can see your information.
4. Use a secure browser: Using a private browser can help block trackers, reducing how much of your browsing activity can be harvested.
5. Consider identity protection tools: To help protect yourself against identity theft, consider a dedicated service like LifeLock. It can also help you with the opt-out process, saving you time and hassle.

Take control of your digital privacy

Regaining control over your personal data is possible. Remember to only share your information when necessary, and consider an identity theft protection service like LifeLock Standard to help safeguard your information. Our Privacy Monitor feature proactively scans popular data broker sites for your details, making it easier to opt out and keep track of your information online.

We’ll also alert you about large-scale breaches where we find your data exposed, so you can secure your compromised accounts and info. It’s the best identity protection for your dollar, so join us today.

FAQs

Are the credit bureaus data brokers?

Yes, in the sense that the three credit bureaus make money partly by selling your personal information. However, the credit bureaus are far more regulated than other data brokers.

Can I find out what data a broker has on me?

You can perform a basic internet search using your name, phone number, and other personal data to see what info is available about you. You can also look up data broker sites directly or use a third-party service to scan multiple data broker websites and report where your data is found.

Can data brokers sell my data without my consent?

Data brokers can sell certain data without your explicit consent, like information collected from public records. Other data can be legally obtained through apps or services where you agreed to the terms and conditions.

Is opting out of data broker sites once enough?

Not usually. While this will remove your personal info from the site in the short term, you may find your info back on the same data broker site in the future. This is because many state laws only require one-time removal of existing records. So, if a broker collects new data (like a new address or phone number), it may be treated as a fresh record not covered by your original request.

How often do data brokers update their information?

Data brokers update their information based on the type of data they handle and their specific policies. While some companies refresh their data daily, others may only perform updates every six months.