What Is a Data Broker? How a $277.97 Billion Industry Profits From Your Data
You Google your own name. The first result is a people-search site listing your home address, your phone number, your estimated income, and the names of your relatives. You didn't put any of that there. Someone collected it, packaged it, and sold it - and they've been doing it for years.
That someone is a data broker, and collectively, these companies operate a $277.97 billion global industry that most people don't know exists.
The quick version:
What it is: A data broker collects, aggregates, and sells personal information about individuals - often without their direct knowledge. The industry hit $277.97B in 2024 and is growing at a 7.3% CAGR through 2033.
What changed: The Protecting Americans' Data From Foreign Adversaries Act (PADFA) took effect June 23, 2024. California launched DROP, a one-click deletion portal, on January 1, 2026. The FTC sent letters to 13 brokers with penalties up to $53,088 per violation.
What to do now: If you're in California, submit a DROP request immediately. Everyone else: manually opt out of the top five people-search sites (Spokeo, Whitepages, Intelius, PeekYou, BeenVerified), enable Global Privacy Control in your browser, then consider a paid removal service like DeleteMe or Incogni for the long tail.
What Is a Data Broker?
The FTC defines a data broker as a company that collects and sells personal information about consumers with whom it doesn't have a direct relationship. That's a polite way of describing an industry that vacuums up everything from your grocery purchases to your GPS coordinates, then packages it for anyone willing to pay.
The numbers are staggering. The global market reached $277.97 billion in 2024 and is projected to hit $512.45 billion by 2033, growing at a 7.3% CAGR. North America accounts for 41.2% of that revenue. Consumer data - your data - represents 35.1% of the total market, making it the single largest revenue category.
Estimates put the number of these companies worldwide at 4,000 to 5,000. Most operate in obscurity. You've never heard of them, they've never contacted you, and yet they hold thousands of data points about your life. The industry is shifting toward real-time data streams - intent signals, location pings, transaction records - delivered via API with hybrid pricing models. It's getting faster, more granular, and harder to opt out of.
Here's the thing: the term covers everything from credit bureaus regulated under federal law to unregulated people-search sites that'll show your home address to anyone with $2 and a web browser. That range matters, and it's why the regulatory conversation is so messy.
What They Know About You
Acxiom, one of the largest marketing-focused brokers, has described its consumer profiles as using over 10,000 traits per person. That's not a typo. Ten thousand individual data points about you, assembled from dozens of sources you've probably never thought about.
Here's what those categories typically include:
- Demographic data: Name, age, gender, ethnicity, marital status, household composition, education level, occupation, income estimates
- Behavioral data: Purchase history, brand preferences, media consumption, online browsing patterns, app usage, subscription services
- Location data: Home address, work address, GPS coordinates from mobile apps, travel patterns, store visits tracked via mobile advertising IDs
- Financial data: Credit score ranges, mortgage information, investment activity, bankruptcy records, estimated net worth
- Health-adjacent data: Prescription purchases via loyalty programs, fitness app data, insurance inquiries, health condition inferences
- Inferred and derived data: Political affiliation predictions, religious beliefs, sexual orientation estimates, likelihood-to-buy scores, life event predictions like expecting a baby, planning to move, or considering divorce
That last category is the most unsettling. These companies don't just collect what you tell them - they infer things you've never disclosed. Your browsing patterns, purchase history, and location data get fed into models that predict intimate details about your life.
And the inferences are often wrong. Buy baby clothes as a gift, and a broker flags you as an expectant parent - a profile error that could affect your insurance quotes or the ads you see for years. Get misclassified as a high-risk borrower because of where you live, and it can quietly shape the credit offers and housing opportunities you receive. There's no accuracy requirement for most of this data, and no dispute process.
How dark does it get? Investigations and policy research have documented brokers selling data tied to deeply sensitive categories - precise geolocation, health-related information, financial details, and other attributes that can be used to target or exploit people. A Duke University report details how sensitive data about U.S. individuals flows through this ecosystem with few meaningful restrictions on who can buy it.
Mobile advertising IDs deserve special attention. Every smartphone broadcasts a unique identifier that ad networks and brokers use to track your physical movements. Real-time bidding - the system that serves you targeted ads - functions as a de facto data brokerage, broadcasting signals about you to hundreds of companies in milliseconds every time a webpage loads.
Biggest Companies in the Industry
Not all brokers operate the same way. The industry breaks into distinct categories, each with different business models, regulatory obligations, and levels of transparency.
| Category | Major Players | What They Sell |
|---|---|---|
| Credit Bureaus | Experian, Equifax, TransUnion | Credit scores, reports, risk models |
| Marketing Data | Acxiom/LiveRamp, Epsilon, Oracle Data Cloud, NielsenIQ, Lotame | Audience segments, purchase behavior, ad targeting |
| People-Search | Intelius, Whitepages, Spokeo, PeekYou, BeenVerified | Addresses, phones, relatives, background checks |
| Property/Financial/B2B | CoreLogic, Dun & Bradstreet, LexisNexis | Property records, business credit, legal research |
Credit bureaus are the most regulated - FCRA requires them to follow accuracy standards and handle disputes. Marketing data companies like Acxiom and Epsilon operate with far less oversight, selling audience segments to advertisers and political campaigns. People-search sites are the Wild West: minimal regulation, maximum exposure of personal information, and opt-out processes designed to be as tedious as possible.
The scale of individual brokers is hard to overstate. Acxiom has described its reach as covering roughly 2.5 billion people globally. Equifax's 2017 breach exposed 147 million Americans' Social Security numbers and birth dates - and the company is still in business, still collecting, still selling.
LexisNexis and Dun & Bradstreet straddle the line between B2B data and consumer surveillance. LexisNexis sells data to both corporate clients and law enforcement agencies, raising serious questions about warrantless government access to personal information. In multiple cases, federal agencies have purchased location data from brokers like Venntel and Babel Street specifically to avoid the warrant requirements of the Fourth Amendment.
The structural asymmetry is the core problem. Brokers face zero barriers to collecting your data, but you must actively hunt down each company's opt-out process to claw it back. Privacy Rights Clearinghouse has identified 750+ data brokers across five state registries - far more than any individual can realistically opt out of one by one.
How Your Information Gets Used
The supply chain works in three stages: collection, aggregation, and sale.
Collection happens through more channels than most people realize. Public records like property deeds, voter registrations, and court filings are the foundation. On top of that, brokers pull from online tracking via cookies and RTB auctions, app SDKs embedded in mobile applications, retailer and loyalty program purchase data, survey responses, and social media profiles. Every time you swipe a grocery store loyalty card, download a free app, or fill out an online quiz, you're feeding the machine.
Aggregation is where the real value gets created. A single data point - your email address, say - isn't worth much. But when a broker links that email to your home address, your purchase history, your estimated income, your browsing behavior, and your GPS coordinates from last Tuesday, they've built a profile worth real money. Data onboarding, the process of matching offline records to online identities, is the technical backbone of this step.
Sale takes multiple forms. Advertisers buy audience segments for targeted campaigns. Insurance companies buy risk profiles to adjust premiums. Background check services resell people-search data. Political campaigns buy voter models to micro-target messaging. And government agencies - including ICE and the FBI - purchase location data from brokers to conduct surveillance without obtaining warrants.
This last use case is what finally pushed Congress to act. But the damage extends beyond surveillance. Broker data feeds into algorithmic scoring systems that quietly shape who gets approved for a mortgage, who pays more for car insurance, and who gets flagged in a hiring screen. When those scores are built on inaccurate or biased data with no transparency into how they're calculated, the result is a system that undermines due process while hiding behind a veneer of objectivity.
The data broker industry thrives on opacity and unverified information. Prospeo is the opposite: 300M+ profiles verified through a 5-step process, 98% email accuracy, GDPR compliant, with opt-out enforced globally. No shady sourcing. No selling consumer data to the highest bidder.
B2B data built on transparency, not surveillance. Try it free.
Breaches and Identity Theft
When these companies get hacked, the damage is catastrophic - because they hold exactly the information identity thieves need.
A Joint Economic Committee report estimated that four major breaches alone cost U.S. consumers more than $20.9 billion in identity theft losses. The breaches in question include National Public Data (2023, roughly 270 million people affected), the Equifax breach of 2017 (147 million), and a TransUnion breach in 2025 that exposed names and Social Security numbers for 4.4 million people.
The pattern is consistent: brokers accumulate massive databases of sensitive personal information, underinvest in security, get breached, and consumers pay the price.
Making things worse, many brokers actively obstruct consumers trying to protect themselves. An investigation by The Markup and CalMatters found that 35 of 499 California-registered broker websites used search-blocking code to hide their opt-out pages from Google. If you can't find the opt-out page, you can't use it. That's by design.
One broker, Findem, disclosed that it failed to process 80% of privacy requests, citing "insufficient data" to verify requesters' identities. A company that collects data on millions of people claiming it can't verify who's asking to be removed - that tells you everything about how seriously this industry takes consumer rights.
What Changed Legally (2024-2026)
Regulation changed more in the past two years than in the previous two decades.
Federal Laws
The Protecting Americans' Data From Foreign Adversaries Act (PADFA) took effect June 23, 2024, making it the first federal law directly restricting data broker activity. PADFA prohibits brokers from transferring Americans' personally identifiable sensitive data to foreign adversary countries - China, Russia, North Korea, and Iran - or entities controlled by those governments.
The definition of "sensitive data" under PADFA is broad: health information, financial data, genetic and biometric records, precise geolocation, sexual behavior data, government-issued identifiers like SSNs and passport numbers, and account login credentials. The FTC sent warning letters to 13 data brokers in February 2026, reminding them that violations carry civil penalties up to $53,088 per violation.
The DOJ cross-border data rule, effective April 8, 2025, defines "data brokerage" broadly as any sale, licensing, or commercial transfer of data where the recipient didn't collect it directly from individuals. This closes a loophole where brokers routed data through intermediaries.
The CFPB proposed a rule in December 2024 targeting broker practices under FCRA - arguing that brokers who sell consumer data for credit, insurance, or employment decisions should face the same obligations as credit bureaus. The comment period was extended, and the rule's future remains uncertain.
State Registration Laws
Four states now require registration, with varying teeth:
| State | Year Enacted | Registration Deadline | Annual Fee | Key Feature |
|---|---|---|---|---|
| California | 2013 (overhauled 2023) | January 31 | $6,600 | DROP deletion portal |
| Vermont | 2018 | January 31 | $100 | First state registry |
| Oregon | 2023 | Before operating | ~$250 | Opt-out disclosure required |
| Texas | 2023 | Before operating | ~$300 | Security program mandate |
Penalties across these states range from $100-$200 per day, with annual caps around $10,000 - numbers that barely register for companies generating billions in revenue. The real enforcement mechanism is the FTC's per-violation penalties under PADFA.
Beyond registration, states like New Jersey, Maryland, New York, and Wisconsin have passed laws specifically protecting public officials' personal information from broker exposure.
California's DROP Platform
California's Delete Request Oversight Platform launched January 1, 2026, and it's the most ambitious attempt yet to give consumers a single point of control over their exposure.
How It Works
The mechanics are straightforward. A California resident verifies their identity, then submits personal identifiers: name, address, email, phone number, date of birth, and optionally a mobile advertising ID. DROP immediately hashes these identifiers using standardized formatting rules - dates as 8-digit strings, phone numbers as the last 10 digits - specifically designed to eliminate the common broker excuse that "your information doesn't match our records."
Registered brokers download the hashed lists and match them against their own hashed databases. If there's a match, they're required to delete the data. No broker-by-broker forms, no verification gauntlets, no "we'll get back to you in 90 days."
Early adoption numbers are encouraging. The CPPA reported that 575+ brokers registered with DROP, 242,000 California residents signed up, and 18,000 deletion requests were submitted within the first 48 hours of launch.
DROP's Limitations
Let's be honest: DROP isn't a silver bullet. Brokers aren't required to begin processing deletion requests until August 1, 2026. Until then, your request sits in a queue.
After August 1, brokers must process requests every 45 days and can't collect new information on consumers who've submitted deletion requests. Penalties for non-compliance hit $200 per consumer per day - meaningful enough to get attention.
The biggest carve-out: brokers don't have to delete "publicly available information." Property records, court filings, and non-private social media posts are exempt. If your home address appears in county property records, DROP can't force a broker to remove it. People-search sites that primarily aggregate public records will still have data on you even after a successful DROP request.
And DROP is California-only. The other 49 states have nothing comparable. If you're in Texas or New York, you're still stuck with the broker-by-broker opt-out grind.
How to Remove Your Data
The DIY Approach
Removing your data from brokers is possible. It's also tedious, repetitive, and never truly finished.
Step 1: Audit your exposure. Google your full name in quotes, combined with your city or state. Check the first three pages of results. You'll likely find yourself on Spokeo, Whitepages, BeenVerified, and several sites you've never heard of. Document every site where your data appears.
Step 2: Submit a DROP request if you're in California. This is the single highest-leverage action available right now. One form, 575+ brokers. Do this first.
Step 3: Enable Global Privacy Control in your browser. GPC sends an automatic opt-out signal to every website you visit, and California law requires sites to honor it. Takes 30 seconds and works passively in the background.
Step 4: Opt out of the top five people-search sites manually. Spokeo, Whitepages, Intelius, PeekYou, and BeenVerified are the most visible offenders. Each has an opt-out process - typically requiring you to find your listing, submit a removal request, and verify via email. Expect each one to take 2-6 weeks to process.
Step 5: Set calendar reminders. This is the part nobody tells you upfront. You opted out of Spokeo six months ago, you check again, and your data is back. Brokers continuously re-aggregate data from public records and other sources. Removal isn't a one-time event - it's ongoing maintenance.
We've seen the same question come up constantly in forums and on r/privacy: "How do you actually remove your info from these sites?" The frustrating reality is that manual opt-outs work, but the long tail of brokers and constant re-aggregation turns it into a part-time job.
Paid Removal Services
If the DIY approach sounds exhausting, paid services automate the process:
| Service | Brokers Covered | Starting Price | Best For |
|---|---|---|---|
| DeleteMe | 750+ | $8.71/mo | Most thorough coverage |
| Incogni | 420+ | $7.99/mo | Best value |
| Aura | 200+ | $7/mo | Identity monitoring bundle |
| Optery | 100-300 | $3.99-$24.99/mo | Budget option |
| Kanary | 300+ | $16.99/mo | Premium alternative |
Our recommendation: DeleteMe if coverage is your priority - 750+ brokers is the widest net available. Incogni if you want the best balance of coverage and price. Aura if you want data removal bundled with identity monitoring and credit alerts.
The honest caveat: you're paying a monthly subscription to fight an industry that shouldn't have your data in the first place. These services work - they genuinely reduce your exposure - but they're treating a symptom, not the disease. Until federal law gives every American a DROP-style one-click deletion right, this is the best option available.
Skip the paid services if you earn under six figures, don't have a public-facing role, and have the patience for manual opt-outs. Start with the free DIY steps and see how much exposure you actually have. Many people discover they're on fewer sites than they feared. The paid route is worth it for anyone with a stalking concern, a public profile, or simply no patience for the opt-out treadmill.
B2B Data vs. Consumer Brokers
Not every company that handles data operates like the surveillance brokers described above. Collapsing consumer data brokers and B2B data platforms into the same category does a disservice to both the privacy conversation and the legitimate needs of business outreach.
Consumer brokers sell personal information - home addresses, income estimates, health inferences, family details - often harvested without meaningful consent and sold to anyone willing to pay. The people whose data gets sold are the product, not the customer.
B2B data platforms serve a fundamentally different function: providing verified professional contact information so sales teams can reach business decision-makers. The data is professional (work emails, business phone numbers, job titles, company information), the use case is commercial outreach, and compliance mechanisms are built into the product. Prospeo, for instance, covers 300M+ professional profiles with 98% email accuracy, enforces GDPR opt-outs globally, and refreshes records on a 7-day cycle - a model built around data quality and consent rather than mass surveillance.
In the consumer broker model, you are the product. In the B2B model, verified professional data serves sales teams reaching business contacts with consent mechanisms and compliance standards that consumer data brokers have spent decades avoiding. Understanding this distinction matters because poorly written regulation that treats all data companies identically would cripple legitimate business tools while leaving the worst consumer brokers untouched.
If you're evaluating vendors for outreach, start with a GDPR compliant checklist, compare options across the best B2B database landscape, and prioritize providers that support data enrichment without compromising consent.
While unregulated brokers sell stale, inferred data with no accuracy standards, Prospeo refreshes every record on a 7-day cycle and runs every email through 5-step verification with spam-trap and honeypot removal. You get data that connects - at $0.01 per email, no contracts.
Stop paying for data you can't trust. Get 98% verified B2B contacts.
FAQ
What is a data broker?
A data broker is a company that collects, aggregates, and sells personal information about consumers with whom it has no direct relationship. These companies gather data from public records, online tracking, loyalty programs, and dozens of other sources, then package it for advertisers, insurers, background check services, and government agencies. The industry spans regulated credit bureaus to unregulated people-search sites.
Is data brokering legal?
Yes, in most jurisdictions - no U.S. federal law bans the practice outright. PADFA restricts transfers of sensitive data to foreign adversaries, and four states require broker registration. The EU's GDPR imposes stricter consent requirements that effectively limit many broker practices in Europe.
Does DROP work outside California?
No. DROP is California-only and requires proof of state residency. Non-California residents must opt out broker-by-broker or use a paid removal service like DeleteMe or Incogni that covers brokers nationwide. No other state has launched a comparable centralized deletion system as of 2026.
How long does it take to opt out?
Individual opt-outs typically take 2-6 weeks per broker to process, and data often reappears within months as brokers re-aggregate from public records. Effective removal is ongoing maintenance - plan to re-check and re-submit quarterly, or use a paid service that automates the cycle.
What's a good B2B alternative that respects privacy?
B2B data platforms like Prospeo handle only professional contact data for business outreach, with built-in consent mechanisms and compliance standards. Prospeo provides 300M+ verified professional profiles with 98% email accuracy, GDPR compliance, and global opt-out enforcement on a 7-day data refresh cycle - with a free tier of 75 emails per month.