Data Brokerage in 2026: Who Has Your Data and What You Can Do About It
Companies you've never heard of have files on you. Your purchase history, your estimated income, your pharmacy visits, the route you drive to work - all packaged and sold in a $278 billion data brokerage industry that most people don't even know exists. People are right to ask how this is legal. The answer is more complicated, and more actionable, than you'd expect.
Government agencies buy commercially brokered location data without obtaining warrants. Brokers track visits to health clinics and domestic violence shelters, then sell that information. The average American's data sits in dozens - possibly hundreds - of broker databases right now.
We've spent months reviewing removal services, tracking enforcement actions, and mapping the regulatory shifts that finally started putting teeth behind privacy law. Here's what data brokerage actually is, how the industry works, what changed in 2025-2026, and exactly how to get your data removed.
The Quick Version
- California residents: Use DROP - it's free, covers 500+ brokers, and requires a single request. Nothing else comes close.
- Everyone else: Incogni (~$12-15/mo on an annual plan) covers 420+ broker sites with Deloitte-audited automation. Best balance of coverage and cost.
- B2B professionals evaluating data providers: The rules are different here. If you're sourcing professional contact data, look for 98%+ email accuracy, weekly data refreshes, and full GDPR compliance with enforced opt-outs. (If you're comparing vendors, start with our guide to B2B databases.)
What Is Data Brokerage?
Data brokerage is the business of collecting, aggregating, and selling personal information about individuals - usually without those individuals knowing or meaningfully consenting. The California Privacy Protection Agency defines a data broker as a business that consumers don't directly interact with, one that buys and sells consumer information from and to other businesses.
The distinction between "data broker" and "data brokerage" matters. A data broker is the company. Data brokerage is the practice - the entire ecosystem of collection, enrichment, packaging, and resale that turns fragments of your digital life into a tradeable commodity. When people talk about the "data brokerage industry," they mean the full supply chain: from the app that silently collects your location to the marketing firm that buys a segment called "likely expecting parents" to target you with ads.
Your grocery store loyalty card, your weather app, and your county's property records all feed different brokers. Those brokers combine, repackage, and sell the resulting profiles to advertisers, insurers, employers, landlords, and sometimes law enforcement - often without a warrant.
How Big Is the Industry?
The numbers are staggering, and they're accelerating. Grand View Research pegged the global data broker market at $277.97 billion in 2024. Mordor Intelligence values the market at $294.27 billion in 2025 and $315.66 billion in 2026, projecting $448.32 billion by 2031. Grand View Research projects $512.45 billion by 2033, growing at a 7.3% CAGR.
That's larger than the global video game market. And unlike gaming, most of its "customers" - the people whose data is being sold - have no idea they're participating.
North America dominates, accounting for 41-48% of global revenue. Asia-Pacific is the fastest-growing region at a 13.41% CAGR through 2031, driven by expanding digital economies and weaker privacy regulation.
| Metric | Grand View Research | Mordor Intelligence |
|---|---|---|
| 2024/2025 Value | $277.97B (2024) | $294.27B (2025) |
| Forecast | $512.45B (2033) | $448.32B (2031) |
| CAGR | 7.3% (2025-2033) | 7.27% (2026-2031) |
| N. America Share | 41.2% (2024) | 47.92% (2025) |
| Consumer Data % of Revenue | 35.1% (2024) | 46.03% (2025) |
Types of Data Brokers
Not all data brokers operate the same way, and lumping them together is a mistake. The regulatory picture, opt-out difficulty, and ethical profile vary dramatically by category.
Credit Bureaus
Equifax, Experian, and TransUnion are the most familiar data brokers in America, even if most people don't think of them that way. They're regulated under the Fair Credit Reporting Act, which gives consumers the right to access and dispute their reports. Opting out entirely isn't practical - you need a credit history to function in modern financial life. The best move is monitoring and correcting errors, not removal.
People-Search Brokers
Spokeo, Intelius, BeenVerified, and Whitepages sell personal profiles directly to the public. Name, address, phone number, email, relatives, estimated income - all available for a few dollars. This is the most harmful category for individuals and the least regulated. That's backwards.
Each site has its own opt-out process, and data frequently reappears within weeks. A recurring frustration on r/privacy is users reporting that they removed their Spokeo listing only to find it repopulated a month later from a different source. The opt-out treadmill is by design, not by accident.
Marketing and Location Brokers
Here's where things get genuinely unsettling. Marketing brokers like Acxiom and Epsilon offer "append services" - a business sends them a partial customer record, and the broker fills in the gaps with demographics, purchase history, and behavioral data. (If you're evaluating this practice in a B2B context, see our breakdown of mail append.) Location brokers trade in Mobile Advertising IDs, which enable linking anonymous location trails to named individuals. Your phone's advertising ID can connect your visits to a therapist's office, a gun store, and a political rally into a single profile.
The buyers aren't just advertisers. U.S. government agencies have purchased commercially brokered location data from companies like Venntel to track individuals without obtaining warrants. When your government can buy your movements from a broker instead of going to a judge, the "I have nothing to hide" argument collapses.
B2B Data Providers
Sales intelligence platforms, enrichment providers, and intent data vendors occupy a distinct space. They deal in professional contact information - work emails, business phone numbers, job titles - rather than personal consumer profiles. Legitimate B2B providers operate under GDPR, enforce opt-outs, and source from professional contexts rather than surveillance infrastructure. We'll cover this category in more detail later. (If you're building a stack, our guide to data enrichment tools is a good starting point.)
| Category | Examples | Regulated By | Opt-Out Difficulty |
|---|---|---|---|
| Credit Bureaus | Equifax, Experian | FCRA | Impractical |
| People-Search | Spokeo, Intelius | Minimal | High (reappears) |
| Marketing/Location | Acxiom, Gravy Analytics | FTC Act (limited) | Very High |
| B2B Data | ZoomInfo, Dun & Bradstreet | GDPR, CCPA | Moderate (enforced) |
How Do Brokers Collect Information?
The collection methods are broader than most people realize, and they start with the most mundane sources.
Property deeds, voter registrations, court filings, business licenses, marriage certificates, and DMV records are all public in most states. Brokers scrape these at industrial scale, cross-referencing them to build profiles far more detailed than any single record. Your phone is the other major pipeline. That flashlight app that asked for location access? It was selling your GPS coordinates to a location broker. Cookies, tracking pixels, and browser fingerprinting follow you across the internet - and while third-party cookies are declining, fingerprinting is filling the gap.
What makes the system truly inescapable is that brokers buy from each other. Your data doesn't stay with one company. It cascades through the ecosystem, getting enriched and repackaged at every step. Social media profiles get scraped systematically, even "private" accounts leak metadata, and the whole thing compounds. The Privacy Rights Clearinghouse built a unified database of 750+ data brokers by cross-referencing all five US state registries. That's 750 companies actively trading in personal data - and those are just the ones that bothered to register.
Understanding how brokers get data is the first step toward protecting yourself, because every source they tap is a potential point where you can cut off the flow.
B2B data doesn't have to work like consumer data brokerage. Prospeo refreshes 300M+ professional profiles every 7 days, enforces opt-outs globally, and delivers 98% email accuracy - all GDPR compliant with zero reliance on surveillance infrastructure.
Get enterprise-grade B2B data without the ethical baggage.
Who Buys Brokered Data?
The buyer list is longer than most people expect.
Advertisers and marketing agencies are the obvious customers, purchasing demographic and behavioral segments to target campaigns. Insurance companies use brokered data to assess risk and adjust premiums. Landlords run background checks through broker-sourced databases. Employers screen job candidates using aggregated records. Financial institutions use broker data for identity verification and fraud detection. Political campaigns purchase voter profiles enriched with consumer behavior data to micro-target messaging down to the individual household level, a practice that's become standard in every competitive race since 2016.
And as we've already covered, law enforcement and government agencies buy location and personal data to sidestep warrant requirements - a practice that's only now facing meaningful legal pushback.
The breadth of buyers explains why the industry has grown so large so quickly: virtually every sector of the economy has found a use for commercially available personal information.
Why Data Brokerage Is (Mostly) Legal
The US Patchwork
There's no single federal privacy law in the United States. Regulation is a patchwork of sector-specific statutes: the FTC Act covers unfair and deceptive practices, FCRA regulates credit reporting, COPPA protects children's data, DPPA covers driver records. None of these address the practice of buying and selling personal data as a whole.
The common claim that there's no federal regulation of data brokers is outdated, though.
What Changed in 2024-2026
The Protecting Americans' Data from Foreign Adversaries Act became law in June 2024 - the first federal statute directly targeting data brokers. It prohibits selling personally identifiable sensitive data to foreign adversaries including China, Russia, Iran, and North Korea. Sensitive data under the law includes health, financial, genetic, biometric, geolocation, sexual behavior, government-issued identifiers, and login credentials. Violations carry penalties up to $53,088 each. The FTC sent compliance letters to 13 data brokers in early 2026.
The DOJ finalized a cross-border data transactions rule effective April 8, 2025 that formally defines "data brokerage" in federal regulation - the sale, licensing, or transfer of data where the recipient didn't collect it directly from individuals. The CFPB issued a proposed rule in December 2024 to regulate certain broker practices under FCRA, though its final status remains pending.
State-Level Laws
California leads with the DELETE Act and its DROP tool. Vermont, Texas, and Oregon maintain broker registries with registration requirements. New Jersey's Daniel's Law - and similar statutes in Maryland, New York, and Wisconsin - protect certain officials' home addresses and phone numbers, requiring brokers to remove them within 10 days of a request.
| DELETE Act Milestone | Date |
|---|---|
| Privacy policy disclosures | July 1, 2025 |
| DROP processing required | August 1, 2026 |
| Third-party compliance audit | January 1, 2028 |
Enforcement Is Getting Real
Regulation without enforcement is just paperwork. But the fines are starting to bite.
In our view, the Gravy Analytics case marks a turning point. The FTC's action against Gravy Analytics and Venntel in December 2024 was the agency's fourth enforcement action that year targeting sensitive location data sales. Gravy Analytics and Venntel were unlawfully tracking and selling sensitive location data revealing visits to health clinics, places of worship, and domestic violence shelters. The proposed order requires deletion of historic location data and notification to downstream customers. This wasn't a slap on the wrist. It was a signal.
California's CPPA has been equally aggressive. In February 2025, the agency filed against National Public Data for registering 230 days late under the DELETE Act, seeking a $46,000 fine. Five other data brokers settled with the CPPA since October 2024: Accurate Append paid $55,400 for failure to register, Todd Snyder was hit with a $345,178 penalty for opt-out process misconfiguration, and Healthline Media paid $1.55 million in the largest CCPA settlement to date.
The DELETE Act's penalty structure adds real teeth going forward: $200 per consumer per day for noncompliance. With 225,000+ Californians already enrolled in DROP, a broker that ignores deletion requests for even a month faces seven-figure exposure.
How to Remove Your Data
California DROP Walkthrough
If you're a California resident, DROP is the single most powerful tool available to you - and it's free. Launched January 1, 2026, it sends one deletion request to all 500+ registered California data brokers simultaneously.
The process takes about five minutes. Confirm your California residency, create a profile through the California Identity Gateway or login.gov, and submit your request. The more identifiers you provide, the better the matching - name, email, phone, and zip code are the basics.
Here's the pro tip most guides miss: add your mobile advertising IDs for significantly better matching. On Android, find yours at Settings > Google > Privacy & Security > Ads. On iOS, Apple doesn't expose the IDFA directly - instead, disable tracking via Privacy & Security > Tracking. If you own a vehicle, add your VIN (check the driver-side dash or door jamb).
DROP's technical design is what makes it superior to manual opt-outs. The system standardizes your data before hashing - phone numbers become last-10-digit strings, dates become 8-digit formats. This eliminates the "no match found" excuse that brokers love to hide behind. Starting August 2026, brokers must access DROP every 45 days to process pending requests. That 45-day processing cycle is the real enforcement lever, because it creates a paper trail that regulators can audit.
Over 225,000 Californians signed up in the first six weeks. We won't see measurable deletion results until late 2026 after multiple processing cycles, but the enforcement mechanism is the strongest in the country.
Paid Removal Services
For non-Californians - or Californians who want broader coverage - paid services automate the tedious process of submitting individual opt-out requests. A recurring theme on r/privacy is users asking for "a single place to find all brokers and opt out." These services are the closest thing that exists.
| Service | Broker Coverage | Pricing (est.) | Best For |
|---|---|---|---|
| Incogni | 420+ sites | ~$12-15/mo (annual) | Best automation, Deloitte-audited |
| Optery | 200+ (free tier) | Free-$25/mo | DIY verification |
| DeleteMe | 200+ | ~$10-13/mo (annual) | Longest track record |
| Aura | 200+ | ~$12-17/mo (bundled) | Identity protection bundle |
| Privacy Bee | 150+ | ~$15-20/mo | Executive protection |
Incogni stands out for coverage and accountability - 420+ broker sites with independent Deloitte auditing of their removal process. Optery is the best option if you want to see exactly where your data was found and verify removals yourself; their free tier provides DIY opt-out instructions. DeleteMe has the longest track record and is the name you'll see most on Reddit threads about data removal.
Let's be honest: if your household income is under $200K and you're not a public figure, Incogni or DeleteMe is all you need. Privacy Bee and executive-tier services charge a premium for concierge features that most people won't use.
Manual Opt-Out
The Privacy Rights Clearinghouse maintains a downloadable CSV of 750+ brokers with opt-out links. Free and thorough.
Skip this approach unless you have a very specific reason. The math doesn't work unless you value your time at $0. You'll spend hours submitting individual requests, and your data will reappear within weeks on many sites. Some brokers deliberately hide their opt-out pages from search engines using noindex tags, making them nearly impossible to find without a direct link. You're not paying removal services for a one-time deletion - you're paying for ongoing suppression.
The one exception: if you're dealing with a specific stalking or harassment situation and need to remove your data from a handful of named sites immediately, manual removal gives you direct control. For everything else, automate it.
B2B Data - A Different Category
Everything above focuses on consumer data brokerage - the opaque, consent-questionable ecosystem that trades in personal profiles. B2B data operates in a fundamentally different space.
When a sales team needs the work email and direct dial for a VP of Engineering at a target account, they're not buying someone's medical inferences or location history. They're accessing professional contact data in a business context. The ethical bar is different, and so is the regulatory framework. GDPR and CCPA both apply, but the data itself - job title, work email, company name - is professional rather than personal in nature. (For a deeper compliance lens, see our guide to GDPR compliant database.)
Prospeo is a good example of what this looks like done right: 300M+ professional profiles, 98% email accuracy, a 7-day data refresh cycle, and full GDPR compliance with opt-out enforcement. It starts free and runs about $0.01 per email, with no annual contracts or sales calls required. (If you're building workflows around this, CRM automation is the next lever.)
The key question to ask any B2B data provider: where does the data come from, how often is it refreshed, and what happens when someone opts out? If the vendor can't answer clearly, you're dealing with a broker, not a platform. Annual contracts and opaque pricing are red flags, not features. (If you're sourcing at scale, compare B2B list providers and pricing models like pay-as-you-go B2B data.)
The line between legitimate B2B data and shady data brokerage comes down to sourcing, verification, and compliance. Prospeo uses proprietary 5-step verification, spam-trap removal, and a Zero-Trust data partner policy - at $0.01 per email.
Source professional contact data you can actually defend using.
FAQ
How many data brokers have my information?
The Privacy Rights Clearinghouse identified 750+ brokers across five US state registries. The average American's data likely appears in dozens to hundreds of broker databases, depending on online activity and public records footprint. California's DROP tool matched users against 500+ registered brokers in its first month.
Is data brokerage illegal?
Not in most cases - the US has no federal privacy law banning it outright. The Protecting Americans' Data from Foreign Adversaries Act (2024) prohibits selling sensitive data to foreign adversaries with penalties up to $53,088 per violation. California's DELETE Act imposes registration, deletion, and audit requirements on all brokers operating in the state.
What's the fastest way to remove my data from brokers?
California residents should use DROP - it's free and covers 500+ brokers in one request. Everyone else should consider Incogni or Optery for automated removal across 200-420+ broker sites. Manual opt-outs are free but extremely time-consuming, and data typically reappears within weeks.
Are B2B data providers the same as consumer data brokers?
No. Consumer brokers trade personal profiles - medical inferences, location trails, purchase history - often without consent. Legitimate B2B platforms provide verified professional contact data (work emails, business phones, job titles) under GDPR compliance with enforced opt-outs. The sourcing, regulation, and ethical standards are fundamentally different.
Do data brokers sell my exact name and address?
Yes. People-search brokers like Spokeo and Intelius sell full profiles including name, address, phone, email, relatives, and estimated income for a few dollars. Marketing brokers sell behavioral and demographic segments instead. Credit bureaus sell credit reports under FCRA rules with specific access restrictions.